[owasp-intrinsic-security] Saved Passwords and Clickjacking
arshan.dabirsiaghi at aspectsecurity.com
Thu Oct 30 10:08:26 EDT 2008
I have not heard much on prevention of this type of danger except in the form of "don't let FF save your passwords!!"
I would guess a simple protection might be to not pre-populate form fields in an <iframe>. For further insurance of not breaking existing apps, you could say the browser can pre-populate if the <iframe> is from the same domain.
Thanks for bringing this up, I think it will serve as a useful topic at the EU Summit next week in Portugal.
From: owasp-intrinsic-security-bounces at lists.owasp.org on behalf of Bil Corry
Sent: Thu 10/30/2008 10:07 AM
To: owasp-intrinsic-security at lists.owasp.org
Subject: [owasp-intrinsic-security] Saved Passwords and Clickjacking
One danger to Clickjacking is the ability of an attacker to "walk" a victim through the login process when the victim has their username and password saved by the browser, and the browser pre-populates those values for the victim.
I'm thinking there must be a way to still provide the saved password functionality in the browser, yet prevent a Clickjacking attack from exploiting it. I have a couple of ideas, but wanted to see if anyone knows if this topic has been tackled elsewhere.
owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the owasp-intrinsic-security