[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

I think Sebastian nailed it right square on the head. This is a point I have spoken to some of you about before, and I know Marcin (of TS-SCI fame) and I have now discussed at length - there are many, many papers and research topics, talks published about *offensive* measures. Sadly, while we talk about hundreds of ways of breaking various once-thought-secure technologies we have simply NOT been talking about how to fix those technologies again. Obviously we will have a whole new world of CSRF attacks opening up to the "bad guys" once this hits public domain - of course the problem here is this: We haven't yet discussed what successful mitigations are ahead of the onslaught of "how to break X".

<rant>
So this brings me to one of my biggest gripes and complaints about our community. We're so damn good at telling people (developers, and anyone who will listen) about how great we are at breaking technologies. We've been dubbed as an industry (IT Security) that "breaks stuff" but the obvious part missing is what to do about all this breakage. In response, products like WAFs have sprung up simply because we haven't offered a better alternative, and people are scared. Then we complain about how broken WAFs are, how they don't stop anything and how no reasonable human being should use WAFs... but what alternative are we offering up? Let me correct that, what REASONABLE alternative are we/have we been offering up? I've yet to hear anything intelligent on this topic from the big dogs, the heavyweights... I'm not poo-poo'ing our own, believe me I think we are making tremendous strides but we need to step up, and offer solutions. Real ones. Ones companies on a budget, and playing the "what's the least I can do" game can get behind. We need to stop being the fear-mongers and become the "fix it" people. Well, someone had to say it."
</rant>

__
Rafal M. Los
IT Security - Response | Mitigation | Strategy

E-mail:  rafal|at|ishackingyou|dot|com
- gPGP:      0xFFC63B33
- Blog:         http://preachsecurity.blogspot.com
- LinkedIn:  http://www.linkedin.com/in/rmlos

--------------------------------------------------
From: "Sebastian Schinzel" <sebastian.schinzel@xxxxxxxxxxxxxxx>
Sent: Monday, October 06, 2008 1:26 AM
To: <bugtraq@xxxxxxxxxxxxxxx>
Cc: <websecurity@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

Hi Robert,

bugtraq@xxxxxxxxxxxxxxx schrieb: 
I've just published an interview with Jeremiah grossman on ClickJacking.
Looks as though CSRF token based protections may not be as safe as we

thought...

Thanks for the interview!

In the article you write:
"Does this break protections for flaws such as Cross-Site Request Forgery?
Yes. Clickjacking has the potential of breaking CSRF token-based
protections."

It is clear to me that token-based protections were never "academically
strong", but they were efficient in terms of cost-benefit for CSRF
protection.

If token-based protections may be busted soon, what protections should
now be used in today's productive Web applications to prevent CSRF
vulnerabilities?

Regards,
Sebastian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Brought to you by http://www.webappsec.org
Search this site