Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

[Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>]

Another gotcha exists here as well. Internet Explorer there is  
security=restricted with regards to IFRAMES, which prevents the  
framebusting code from executing, as well as all other JS included on  
the page. So if the clickjacked targeted "button" DOES NOT utilize  
JavaScript, then the attack can still work.

Another possible option is out-of-band confirmation by the user.  
Email, SMS, etc

Regards,

Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/


On Oct 6, 2008, at 3:23 AM, Guy Aharonovsky wrote:

> Hi Sebastian,
>
> Token based protection in conjunction with framebusting might just  
> work.
>
> Best,
> Guy
>
> Call me free at: http://jajah.com/guy
> Visit me at: http://guya.net & http://jajahdevblog.com/guy
>
> -----Original Message-----
> From: Sebastian Schinzel [mailto:sebastian.schinzel@xxxxxxxxxxxxxxx]
> Sent: Monday, October 06, 2008 8:26 AM
> To: bugtraq@xxxxxxxxxxxxxxx
> Cc: websecurity@xxxxxxxxxxxxx
> Subject: Re: [WEB SECURITY] Interview With Jeremiah Grossman on  
> ClickJacking attack
>
> Hi Robert,
>
> bugtraq@xxxxxxxxxxxxxxx schrieb:
> > I've just published an interview with Jeremiah grossman on  
> > ClickJacking.
> > Looks as though CSRF token based protections may not be as safe as we
> thought...
>
> Thanks for the interview!
>
> In the article you write:
> "Does this break protections for flaws such as Cross-Site Request  
> Forgery?
> Yes. Clickjacking has the potential of breaking CSRF token-based
> protections."
>
> It is clear to me that token-based protections were never  
> "academically
> strong", but they were efficient in terms of cost-benefit for CSRF
> protection.
>
> If token-based protections may be busted soon, what protections should
> now be used in today's productive Web applications to prevent CSRF
> vulnerabilities?
>
> Regards,
> Sebastian
>
> ---------------------------------------------------------------------- 
> ------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
>
> ********************************************************************** 
> ********
>
>  This footnote confirms that this email message has been scanned by  
> Jajah Inc. Mail system for the presence of malicious code, vandals  
> & computer viruses.
>
> ********************************************************************** 
> ********
>
>
>
>
>
> ********************************************************************** 
> ********
>  This footnote confirms that this email message has been scanned by  
> Jajah Inc. Mail system for the presence of malicious code, vandals  
> & computer viruses.
> ********************************************************************** 
> ********
>
>
>
> ---------------------------------------------------------------------- 
> ------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA