These docs are for v1.1. Click to read the latest docs for v1.2.

iFrame Injection (Cross-Frame Scripting)

Severity: Medium
Test name: iFrame Injection

Frame injection attacks, commonly referred to as clickjacking, revolve around the sneaky insertion or hiding of elements within genuine websites or apps. These elements are often invisible or cleverly camouflaged. The intention behind this manipulation is to deceive users into unwittingly engaging with these injected frames. This could have serious consequences, including unauthorized actions, data pilferage, or various forms of malicious behavior.


Unauthorized Actions, Gather sensitive information, Malware Distribution, Account Takeover


The issue can be found in the following paths:

  • Client-side
  • Server-side
Remedy suggestions

To enhance the security of web applications and counter frame injection attacks, it's advisable to consider the following steps:

  • Input Validation and Sanitization: Implement strong input validation and sanitization techniques. This ensures that data provided by users undergoes proper validation and cleansing before it's displayed or processed. This guards against injecting malicious code or frames into vulnerable parts of the application.
  • Content Security Policy (CSP): Deploy a Content Security Policy that restricts the sources from which content can be loaded on the website. This precaution prevents unauthorized scripts from running or malicious frames from being embedded from untrusted origins.
  • X-Frame-Options Header: Activate the X-Frame-Options header in the server's HTTP response. This action curbs the embedding of your web application within iframes on other websites. It safeguards against clickjacking attacks by disallowing the application's framing without explicit authorization.
  • Frame-Busting Techniques: Integrate frame-busting techniques within your application's code. This prevents the application from loading within iframes. This defense thwarts clickjacking attempts by ensuring the application is always presented in a top-level window.
  • Security Audits and Penetration Testing: Regularly perform security audits and penetration tests. These examinations help detect and rectify vulnerabilities linked to frame injection attacks. Engaging security experts for thorough testing provides insights and recommendations to address any identified issues.
  • User Education: Educate users about the risks associated with interacting with unfamiliar or suspicious elements on websites and apps. Encourage cautious behavior when clicking links or buttons. Urge users to report any unusual activities they come across.
  • Stay Updated with Security Best Practices: Stay current with the latest security practices, guidelines, and industry standards related to web application security. Regularly update and patch all software components within the application stack to resolve known vulnerabilities.
  • CWE-601
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N