[owasp-intrinsic-security] Saved Passwords and Clickjacking

Bil Corry bil at corry.biz
Thu Oct 30 11:56:49 EDT 2008


Arshan Dabirsiaghi wrote on 10/30/2008 9:08 AM: 
> I have not heard much on prevention of this type of danger except in the form of "don't let FF save your passwords!!"

>From the website's perspective, not allowing the browser to save the username and password is an option.  I've see some sites that do allow the user to opt-in to have the site remember their username, so it will pre-populate the username, and the user still has to enter their password.


> I would guess a simple protection might be to not pre-populate form fields in an <iframe>. For further insurance of not breaking existing apps, you could say the browser can pre-populate if the <iframe> is from the same domain.

I think that is the cleanest solution, you'll have to let us know what other ideas come out of the EU Summit.


- Bil




More information about the owasp-intrinsic-security mailing list