[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

Rafal,

Funny, as Jeremiah knows--since he's presented at one, and is about to present at another--the company I work for produces information and conferences dedicated to both sides of this dynamic: Black Hat and CSI.

Some copy re: CSI 2008 in November that may be addressing your gripe:

"At Black Hat last August, it was open season on DNS and BGP. As is often the case, much of coping with these still-menacing issues boils down to effective strategy and management.

Come see how best to handle /that/ critical part of the equation at */CSI 2008/*, taking place November 15-21, 2008 in Washington, D.C. at the Gaylord National Resort."

http://www.csiannual.com/

Phil





Stephen de Vries wrote: 

Hi Rafal,


On Oct 6, 2008, at 4:41 PM, Rafal @ IsHackingYou wrote: 


Have you registered IsProtectingYou.com ?  ;)

<rant>
So this brings me to one of my biggest gripes and complaints about our community. We're so damn good at telling people (developers, and anyone who will listen) about how great we are at breaking technologies. We've been dubbed as an industry (IT Security) that "breaks stuff" but the obvious part missing is what to do about all this breakage.

Yeah, it's a good point and I think you're right to a degree. But there are many freely available online resources that help developers and architects build secure applications. Just some that spring to mind:
- The OWASP Guide project
- The OWASP ESAPI, Java, .NET and PHP projects (and numerous other OWASP projects)
- The US' "Build Security In" project
- CERT's secure coding standards
- Microsoft's "Improving Web Application Security: Threats and Countermeasures"

IMO attacks receive more attention because they're at the forefront of security research. No one's going to defend against an attack that doesn't exist yet.

In response, products like WAFs have sprung up simply because we haven't offered a better alternative, and people are scared. Then we complain about how broken WAFs are, how they don't stop anything and how no reasonable human being should use WAFs... but what alternative are we offering up? Let me correct that, what REASONABLE alternative are we/have we been offering up?

See above. One of the problems is that the solution isn't a product that you can buy and install. It's a process you should adopt - so it's a trickier sell for security companies used to shifting software.
IMO the biggest and best bang-for-buck security measure is for the architects and developers to read something like the OWASP Guide and then compile a security standard (a set of security requirements) for their web application (or for all their organisation's web applications). The vast majority of security vulnerabilities in sites I've tested are basic security issues which could simply have been stated in a requirements document. If the architects knew what the security requirements were during design and if the developers implemented those requirements in the code and then the testers tested for those requirements during testing - they'd be well on their way to developing a secure app that didn't even involve any security specialists ;)
The current problem with insecure apps is mostly just a lack of communication.

regards,
Stephen

--------------------------------------------------
From: "Sebastian Schinzel" <sebastian.schinzel@xxxxxxxxxxxxxxx>
Sent: Monday, October 06, 2008 1:26 AM
To: <bugtraq@xxxxxxxxxxxxxxx>
Cc: <websecurity@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

Hi Robert,

bugtraq@xxxxxxxxxxxxxxx schrieb:
I've just published an interview with Jeremiah grossman on ClickJacking.
Looks as though CSRF token based protections may not be as safe as we 
thought...

Thanks for the interview!

In the article you write:
"Does this break protections for flaws such as Cross-Site Request Forgery?
Yes. Clickjacking has the potential of breaking CSRF token-based
protections."

It is clear to me that token-based protections were never "academically
strong", but they were efficient in terms of cost-benefit for CSRF
protection.

If token-based protections may be busted soon, what protections should
now be used in today's productive Web applications to prevent CSRF
vulnerabilities?

Regards,
Sebastian

---------------------------------------------------------------------------- 

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


---------------------------------------------------------------------------- 

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



---------------------------------------------------------------------------- 

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Brought to you by http://www.webappsec.org
Search this site