The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

There are two available mitigations to frame injection vulnerabilities:

■■

If there is no requirement for the application’s different frames to inter-

mous. However, because intercommunication is normally required, this

option is usually not feasible.

■■

Use named frames but make them unique to each session and unpre-

each base frame name such as 

main_display

.

Request Forgery

This category of attack (also known as session riding) is closely related to ses-

sion hijacking attacks, in which an attacker captures a user’s session token and

so is able to use the application “as” that user. With request forgery, however,

the attacker need never actually know the victim’s session token. Rather, the

attacker exploits the normal behavior of web browsers in order to hijack a