Cross-Site Scripting (XSS)

Meta-Information XSS (miXSS)

  • Most people trust the data returned from websites that perform a whois lookup, resolve DNS records, or other query services of the same nature. The problem is that these services may not sanitize the data with malicious content before they render the data to you, thus creating a class of XSS.
  • See an illustration: A miXSS Whitepaper

Cross Frame Scripting (XFS)

  • Cross-Frame Scripting (XFS) is client-side attack related to XSS. In an XFS attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame; and then javascript executing in the attacker's page steals data from the third-party page. 
  • XSS vs. XFS: The only difference is that when using an iframe, the attacker can hide the frame off-screen -- so the browser user won't have any idea that he or she just "visited" the attaker's website. When using a redirect to navigate directly to the attaker's website, the browser will display tthe attaker's website's url in the browser's address bar, and the attaker's website's page in the browser's window, so the browser user will be aware that he or she is visiting the attaker's website. 
  • XFS explained 
  • OWASP demo
  • XFS 101