[owasp-intrinsic-security] Saved Passwords and Clickjacking

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu Oct 30 10:08:26 EDT 2008

I have not heard much on prevention of this type of danger except in the form of "don't let FF save your passwords!!"
I would guess a simple protection might be to not pre-populate form fields in an <iframe>. For further insurance of not breaking existing apps, you could say the browser can pre-populate if the <iframe> is from the same domain.
Thanks for bringing this up, I think it will serve as a useful topic at the EU Summit next week in Portugal.


From: owasp-intrinsic-security-bounces at lists.owasp.org on behalf of Bil Corry
Sent: Thu 10/30/2008 10:07 AM
To: owasp-intrinsic-security at lists.owasp.org
Subject: [owasp-intrinsic-security] Saved Passwords and Clickjacking

One danger to Clickjacking is the ability of an attacker to "walk" a victim through the login process when the victim has their username and password saved by the browser, and the browser pre-populates those values for the victim.

I'm thinking there must be a way to still provide the saved password functionality in the browser, yet prevent a Clickjacking attack from exploiting it.  I have a couple of ideas, but wanted to see if anyone knows if this topic has been tackled elsewhere.

- Bil

owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081030/314ecc5f/attachment.html 

More information about the owasp-intrinsic-security mailing list