[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
- From: Guy Aharonovsky <guy@xxxxxxxxx>
- Subject: RE: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
- Date: Mon, 6 Oct 2008 12:23:09 +0200
Hi Sebastian,
Token based protection in conjunction with framebusting might just work.
Best,
Guy
Call me free at: http://jajah.com/guy
Visit me at: http://guya.net & http://jajahdevblog.com/guy
-----Original Message-----
From: Sebastian Schinzel [mailto:sebastian.schinzel@xxxxxxxxxxxxxxx]
Sent: Monday, October 06, 2008 8:26 AM
To: bugtraq@xxxxxxxxxxxxxxx
Cc: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
Hi Robert,
bugtraq@xxxxxxxxxxxxxxx schrieb:
> I've just published an interview with Jeremiah grossman on ClickJacking.
> Looks as though CSRF token based protections may not be as safe as we
thought...
Thanks for the interview!
In the article you write:
"Does this break protections for flaws such as Cross-Site Request Forgery?
Yes. Clickjacking has the potential of breaking CSRF token-based
protections."
It is clear to me that token-based protections were never "academically
strong", but they were efficient in terms of cost-benefit for CSRF
protection.
If token-based protections may be busted soon, what protections should
now be used in today's productive Web applications to prevent CSRF
vulnerabilities?
Regards,
Sebastian
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
******************************************************************************
This footnote confirms that this email message has been scanned by Jajah Inc. Mail system for the presence of malicious code, vandals & computer viruses.
******************************************************************************
******************************************************************************
This footnote confirms that this email message has been scanned by Jajah Inc. Mail system for the presence of malicious code, vandals & computer viruses.
******************************************************************************
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|