Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

[Stephen de Vries <stephen@xxxxxxxxxxxxxxxxxx>]

Hi Rafal,


> On Oct 6, 2008, at 4:41 PM, Rafal @ IsHackingYou wrote:


Have you registered IsProtectingYou.com ?  ;)

> <rant>
>   So this brings me to one of my biggest gripes and complaints about  
> our community.  We're so damn good at telling people (developers,  
> and anyone who will listen) about how great we are at breaking  
> technologies.  We've been dubbed as an industry (IT Security) that  
> "breaks stuff" but the obvious part missing is what to do about all  
> this breakage.

Yeah, it's a good point and I think you're right to a degree.  But  
there are many freely available online resources that help developers  
and architects build secure applications.  Just some that spring to  
mind:
- The OWASP Guide project
- The OWASP ESAPI, Java, .NET and PHP projects (and numerous other  
OWASP projects)
- The US' "Build Security In" project
- CERT's secure coding standards
- Microsoft's "Improving Web Application Security: Threats and  
Countermeasures"

IMO attacks receive more attention because they're at the forefront of  
security research.  No one's going to defend against an attack that  
doesn't exist yet.

>  In response, products like WAFs have sprung up simply because we  
> haven't offered a better alternative, and people are scared.  Then  
> we complain about how broken WAFs are, how they don't stop anything  
> and how no reasonable human being should use WAFs... but what  
> alternative are we offering up?  Let me correct that, what  
> REASONABLE alternative are we/have we been offering up?

See above.  One of the problems is that the solution isn't a product  
that you can buy and install.  It's a process you should adopt - so  
it's a trickier sell for security companies used to shifting software.
IMO the biggest and best bang-for-buck security measure is for the  
architects and developers to read something like the OWASP Guide and  
then compile a security standard (a set of security requirements) for  
their web application (or for all their organisation's web  
applications).  The vast majority of security vulnerabilities in sites  
I've tested are basic security issues which could simply have been  
stated in a requirements document.  If the architects knew what the  
security requirements were during design and if the developers  
implemented those requirements in the code and then the testers tested  
for those requirements during testing - they'd be well on their way to  
developing a secure app that didn't even involve any security  
specialists ;)
The current problem with insecure apps is mostly just a lack of  
communication.

regards,
Stephen

> --------------------------------------------------
> From: "Sebastian Schinzel" <sebastian.schinzel@xxxxxxxxxxxxxxx>
> Sent: Monday, October 06, 2008 1:26 AM
> To: <bugtraq@xxxxxxxxxxxxxxx>
> Cc: <websecurity@xxxxxxxxxxxxx>
> Subject: Re: [WEB SECURITY] Interview With Jeremiah Grossman on  
> ClickJacking attack
>
> > Hi Robert,
> >
> > bugtraq@xxxxxxxxxxxxxxx schrieb:
> > > I've just published an interview with Jeremiah grossman on  
> > > ClickJacking.
> > > Looks as though CSRF token based protections may not be as safe as  
> > > we
> > thought...
> >
> > Thanks for the interview!
> >
> > In the article you write:
> > "Does this break protections for flaws such as Cross-Site Request  
> > Forgery?
> > Yes. Clickjacking has the potential of breaking CSRF token-based
> > protections."
> >
> > It is clear to me that token-based protections were never  
> > "academically
> > strong", but they were efficient in terms of cost-benefit for CSRF
> > protection.
> >
> > If token-based protections may be busted soon, what protections  
> > should
> > now be used in today's productive Web applications to prevent CSRF
> > vulnerabilities?
> >
> > Regards,
> > Sebastian
> >
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS  
> Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA