[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
- From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
- Date: Mon, 6 Oct 2008 11:37:40 -0400
------_=_NextPart_001_01C927C9.7755A5C2
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Clickjacking is not hampered at all by token-based CSRF protections. The =
user is actually clicking on the "Transfer Funds" button then the =
"Confirm" button on the resulting page. To stop that would mean to =
prevent the functionality from working at all. Framebusting across =
current and legacy browsers is the only difficulty here. Here is some =
code from Giorgio Maone:
=20
> try { if (top.location.host !=3D self.location.host) throw "x"; } =
catch(e) { window.open(location.protocol +
> "://" + location.host, "_top") }
=20
Clever code, not sure what the legacy support is but it doesn't look to =
utilize anything new enough to cause problems.
=20
Arshan
=20
________________________________
From: Guy Aharonovsky [mailto:guy@jajah.com]
Sent: Mon 10/6/2008 6:23 AM
To: Sebastian Schinzel; bugtraq@cgisecurity.net
Cc: websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Interview With Jeremiah Grossman on =
ClickJacking attack
Hi Sebastian,
Token based protection in conjunction with framebusting might just work.
Best,
Guy
Call me free at: http://jajah.com/guy
Visit me at: http://guya.net <http://guya.net/> & =
http://jajahdevblog.com/guy
-----Original Message-----
From: Sebastian Schinzel [mailto:sebastian.schinzel@virtualforge.de]
Sent: Monday, October 06, 2008 8:26 AM
To: bugtraq@cgisecurity.net
Cc: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Interview With Jeremiah Grossman on =
ClickJacking attack
Hi Robert,
bugtraq@cgisecurity.net schrieb:
> I've just published an interview with Jeremiah grossman on =
ClickJacking.
> Looks as though CSRF token based protections may not be as safe as we
thought...
Thanks for the interview!
In the article you write:
"Does this break protections for flaws such as Cross-Site Request =
Forgery?
Yes. Clickjacking has the potential of breaking CSRF token-based
protections."
It is clear to me that token-based protections were never "academically
strong", but they were efficient in terms of cost-benefit for CSRF
protection.
If token-based protections may be busted soon, what protections should
now be used in today's productive Web applications to prevent CSRF
vulnerabilities?
Regards,
Sebastian
-------------------------------------------------------------------------=
---
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
*************************************************************************=
*****
This footnote confirms that this email message has been scanned by =
Jajah Inc. Mail system for the presence of malicious code, vandals & =
computer viruses.
*************************************************************************=
*****
*************************************************************************=
*****
This footnote confirms that this email message has been scanned by =
Jajah Inc. Mail system for the presence of malicious code, vandals & =
computer viruses.
*************************************************************************=
*****
-------------------------------------------------------------------------=
---
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
------_=_NextPart_001_01C927C9.7755A5C2
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML dir=3Dltr><HEAD><TITLE>RE: [WEB SECURITY] Interview With Jeremiah =
Grossman on ClickJacking attack</TITLE>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.6001.18099" name=3DGENERATOR></HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText60898 dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Clickjacking =
is not hampered at all by token-based CSRF protections. The user is =
actually clicking on the "Transfer Funds" button then the "Confirm" =
button on the resulting page. To stop that would mean to prevent =
the functionality from working at all. Framebusting across current =
and legacy browsers is the only difficulty here. Here is some code from =
Giorgio Maone:</FONT></DIV>=0A=
<DIV dir=3Dltr> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial><FONT =
size=3D2><STRONG>> </STRONG>try { if (top.location.host !=3D =
self.location.host) throw "x"; } catch(e) { =
window.open(location.protocol +<BR>> "://" + location.host, "_top") =
}</FONT></FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Clever code, not sure what =
the legacy support is but it doesn't look to utilize anything new enough =
to cause problems.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Arshan</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr>=0A=
<HR tabIndex=3D-1>=0A=
</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DTahoma size=3D2><B>From:</B> Guy Aharonovsky =
[mailto:guy@jajah.com]<BR><B>Sent:</B> Mon 10/6/2008 6:23 =
AM<BR><B>To:</B> Sebastian Schinzel; =
bugtraq@cgisecurity.net<BR><B>Cc:</B> =
websecurity@webappsec.org<BR><B>Subject:</B> RE: [WEB SECURITY] =
Interview With Jeremiah Grossman on ClickJacking =
attack<BR></FONT><BR></DIV></DIV>=0A=
<DIV>=0A=
<P><FONT size=3D2>Hi Sebastian,<BR><BR>Token based protection in =
conjunction with framebusting might just =
work.<BR><BR>Best,<BR>Guy<BR><BR>Call me free at: <A =
href=3D"http://jajah.com/guy";>http://jajah.com/guy</A><BR>Visit me at: =
<A href=3D"http://guya.net/";>http://guya.net</A> & <A =
href=3D"http://jajahdevblog.com/guy";>http://jajahdevblog.com/guy</A><BR><=
BR>-----Original Message-----<BR>From: Sebastian Schinzel [<A =
href=3D"mailto:sebastian.schinzel@virtualforge.de";>mailto:sebastian.schin=
zel@virtualforge.de</A>]<BR>Sent: Monday, October 06, 2008 8:26 =
AM<BR>To: bugtraq@cgisecurity.net<BR>Cc: =
websecurity@webappsec.org<BR>Subject: Re: [WEB SECURITY] Interview With =
Jeremiah Grossman on ClickJacking attack<BR><BR>Hi =
Robert,<BR><BR>bugtraq@cgisecurity.net schrieb:<BR>> I've just =
published an interview with Jeremiah grossman on ClickJacking.<BR>> =
Looks as though CSRF token based protections may not be as safe as =
we<BR>thought...<BR><BR>Thanks for the interview!<BR><BR>In the article =
you write:<BR>"Does this break protections for flaws such as Cross-Site =
Request Forgery?<BR>Yes. Clickjacking has the potential of breaking CSRF =
token-based<BR>protections."<BR><BR>It is clear to me that token-based =
protections were never "academically<BR>strong", but they were efficient =
in terms of cost-benefit for CSRF<BR>protection.<BR><BR>If token-based =
protections may be busted soon, what protections should<BR>now be used =
in today's productive Web applications to prevent =
CSRF<BR>vulnerabilities?<BR><BR>Regards,<BR>Sebastian<BR><BR>------------=
----------------------------------------------------------------<BR>Join =
us on IRC: irc.freenode.net #webappsec<BR><BR>Have a question? Search =
The Web Security Mailing List Archives:<BR><A =
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR><BR>Subscribe via =
RSS:<BR><A =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS Feed]<BR><BR>Join WASC on =
LinkedIn<BR><A =
href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.link=
edin.com/e/gis/83336/4B20E4374DBA</A><BR><BR><BR><BR><BR>****************=
**************************************************************<BR><BR>&nb=
sp;This footnote confirms that this email message has been scanned by =
Jajah Inc. Mail system for the presence of malicious code, vandals & =
computer =
viruses.<BR><BR>*********************************************************=
*********************<BR><BR><BR><BR><BR><BR>****************************=
**************************************************<BR><BR> This =
footnote confirms that this email message has been scanned by Jajah Inc. =
Mail system for the presence of malicious code, vandals & computer =
viruses.<BR><BR>*********************************************************=
*********************<BR><BR><BR><BR>------------------------------------=
----------------------------------------<BR>Join us on IRC: =
irc.freenode.net #webappsec<BR><BR>Have a question? Search The Web =
Security Mailing List Archives:<BR><A =
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR><BR>Subscribe via =
RSS:<BR><A =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS Feed]<BR><BR>Join WASC on =
LinkedIn<BR><A =
href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.link=
edin.com/e/gis/83336/4B20E4374DBA</A><BR><BR></FONT></P></DIV></BODY><!--=
[object_id=3D#aspectsecurity.com#]--></HTML>
------_=_NextPart_001_01C927C9.7755A5C2--
Brought to you by http://www.webappsec.org
Search this site
|