RE: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> So this brings me to one of my biggest 
> gripes and complaints about our community...

First off, I'm not sure there is any one thing that you could refer to
as a community.  I would strongly suspect that the cross section of
people subscribed to the list ranges from career criminals to career
professionals, and everything in between.  The only common aspect is
that we're all interested in web app sec.  

Many of us aren't sitting on our wobbly corporate arses.  We are
diligently working away to help organisations fix their problems at
source; in the applications.  But sometimes, as in this case, all you
can do in the app is tinker at the edges.  The clackjicking issue is a
semantic one; it is an artefact of the technology (as currently
implemented), and like key logging etc, it isn't going to go away in a
hurry.  You can look at compensating controls, but these often just
up-the-game, rather than fixing the root issue.

So what is the solution?  The original google team posting has a few
suggestions, some of which are reasonably practical.  Most require the
browser vendors to be involved though; the root of the issue.

In the mean time, we can always have a shot at selling a few WAFs
though.  Maybe a WAF yard sale?

Martin...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA