[Owasp-leaders] Clickjacking Defense

Jim Manico jim.manico at owasp.org
Mon Sep 3 20:35:30 UTC 2012


It's so easily evadable ...

http://seclab.stanford.edu/websec/framebusting/framebust.pdf

... I no longer recommend the technique. If there IS a good JavaScript 
framebusting technique I'm all ears...

Jim Manico
OWASP Volunteer
(808) 652-3805



> The jscript stuff still makes it a little header. There are also some sorta effective solutions. Should you not include them?
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 3 Sep 2012, at 17:58, Jim Manico <jim.manico at owasp.org> wrote:
>
>> I want to write a Cheat-sheet on Clickjacking defense.
>>
>> I was thinking of just discussing the different framing blocking headers....
>>
>> // to prevent all framing of this content 
>
>> response.addHeader( "X-FRAME-OPTIONS", "DENY" );
>>
>> // to allow framing of this content only by this site
>> response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
>>
>> // to allow framing from a specific domain
>> response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
>>
>> ...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.
>>
>> What do you think, any thoughts on this topic?
>>
>> Cheers folks,
>>
>> Jim Manico
>> OWASP Volunteer
>> (808) 652-3805
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120903/3ad1b0a4/attachment-0001.html>


More information about the OWASP-Leaders mailing list