[ OWASP - Montreal ] Owasp-montreal Digest, Vol 4, Issue 1

Sergey Vlasov vlasov01 at gmail.com
Fri Feb 13 13:16:56 EST 2009 

I think another option to consider is to use the following Frame
Protection approach (from www.digitalroom.net/javascript/frame.html ):
   1. Detecting whether or not page has been loaded within its frameset.
   2. Redirecting or reloading the page so that it loads itself within
its intended frameset.

On Fri, Feb 13, 2009 at 12:00 PM,
<owasp-montreal-request at lists.owasp.org> wrote:
> Send Owasp-montreal mailing list submissions to
>        owasp-montreal at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.owasp.org/mailman/listinfo/owasp-montreal
> or, via email, send a message with subject or body 'help' to
>        owasp-montreal-request at lists.owasp.org
>
> You can reach the person managing the list at
>        owasp-montreal-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-montreal digest..."
>
>
> Today's Topics:
>
>   1. [ OWASP - Montreal ] Interesting Clickjacking on Twitter
>      today (Sean Coates)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 12 Feb 2009 13:16:46 -0500
> From: Sean Coates <sean at caedmon.net>
> Subject: [ OWASP - Montreal ] Interesting Clickjacking on Twitter
>        today
> To: owasp-montreal <owasp-montreal at lists.owasp.org>
> Message-ID: <A6D736AC-D921-4436-A74F-973F8E4F1764 at caedmon.net>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> http://www.umoor.eu/blog/yes-we-can.php
>
> The page loads an iframe that prepopulates the twitter status form,
> repositions the frame, and makes it transparent (and positions it in
> the z-index above the button). When the user clicks the button,
> they're actually clicking the iframe, which clicks the button ON
> twitter, bypassing the CSRF protection. Nice (-:
>
> Simplest solution: twitter shouldn't allow the form to be populated
> from the URL.
>
> Discuss. (-:
>
> S
>
>
>
> ------------------------------
>
> _______________________________________________
> Owasp-montreal mailing list
> Owasp-montreal at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-montreal
>
>
> End of Owasp-montreal Digest, Vol 4, Issue 1
> ********************************************
>

More information about the Owasp-montreal mailing list