Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

[Achim Hoffmann <ah@xxxxxxxxxxxx>]

!! .. Obviously we will have a whole new world of CSRF attacks opening up to the "bad guys"

hmm, beside that CSRF has nothing to do with Clickjacking (except that 
Clickjacking makes CSRF more dangereous), this attack/threat (Web Trojan aka
CSRF aka Session Riding) is well described since centuries. You just need to 
read the docs published in last 4 or so years, nothing new at all.
Some of these papers descibe most (all?) possible countermeasures. It's done.
<my-rant>
  .. deleted, as it is off-topic for now ..
</my-rant>

!! and people are scared.  Then we complain about how broken WAFs are, how they
!! don't stop anything and how no reasonable human being should use WAFs... but
!! what alternative are we offering up?

http://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt
https://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls

(don't blame WAFs, but the people incapable to use them in the right way or
unable to configure them correctly)

!! need to stop being the fear-mongers and become the "fix it" people.  Well,
!! someone had to say it."

see links in Stephen's mail and above
{-: Achim


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA