Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

[Bil Corry <bil@xxxxxxxxx>]

Bil Corry wrote on 10/11/2008 1:32 AM: 
> =============== Knowing The URL ===============
> 
> The only way to prevent an attacker from knowing the URL would be to
> randomize it -- basically instead of placing the token/nonce as a
> hidden field (ala anti-CSRF), use it as part of the URL instead.

I created an example site that implements this idea, you can see it here:

	http://clicksmack.sinlab.com/

Once you log in, you'll see a button to use for a clickjacking attack.  The question I have, is it possible to perform a clickjacking attack against the site?  Or does the random URL spoil the attack?


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA