Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

[Sebastian Schinzel <sebastian.schinzel@xxxxxxxxxxxxxxx>]

Hi Robert,

bugtraq@xxxxxxxxxxxxxxx schrieb:
> I've just published an interview with Jeremiah grossman on ClickJacking.
> Looks as though CSRF token based protections may not be as safe as we
thought...

Thanks for the interview!

In the article you write:
"Does this break protections for flaws such as Cross-Site Request Forgery?
Yes. Clickjacking has the potential of breaking CSRF token-based
protections."

It is clear to me that token-based protections were never "academically
strong", but they were efficient in terms of cost-benefit for CSRF
protection.

If token-based protections may be busted soon, what protections should
now be used in today's productive Web applications to prevent CSRF
vulnerabilities?

Regards,
Sebastian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA