[owasp-intrinsic-security] Saved Passwords and Clickjacking

Bil Corry bil at corry.biz
Thu Oct 30 10:07:03 EDT 2008


One danger to Clickjacking is the ability of an attacker to "walk" a victim through the login process when the victim has their username and password saved by the browser, and the browser pre-populates those values for the victim.

I'm thinking there must be a way to still provide the saved password functionality in the browser, yet prevent a Clickjacking attack from exploiting it.  I have a couple of ideas, but wanted to see if anyone knows if this topic has been tackled elsewhere.


- Bil




More information about the owasp-intrinsic-security mailing list