[Owasp-leaders] Clickjacking Defense

John Wilander john.wilander at owasp.org
Mon Sep 3 22:21:11 UTC 2012


I guess listing the alternatives to XFO and briefly saying why they don't
work would make sense. A lot of people want to know why a certain technique
they're considering won't solve their problem before accepting another,
superior solution.

The Stanford study on Busting Frame Busting is cool by the way. Gustav
presented it at OWASP AppSec Research 2010 in Stockholm.
Video here:
http://blip.tv/owasp-appsec-conference-in-europe/day1_track1_1155-1230-3937175
Slides here:
https://www.owasp.org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt.pdf

   /John


2012/9/3 Jim Manico <jim.manico at owasp.org>

>  It's so easily evadable ...
>
> http://seclab.stanford.edu/websec/framebusting/framebust.pdf
>
> ... I no longer recommend the technique. If there IS a good JavaScript
> framebusting technique I'm all ears...
>
>
> Jim Manico
> OWASP Volunteer
> (808) 652-3805
>
>
>
>  The jscript stuff still makes it a little header. There are also some sorta effective solutions. Should you not include them?
>
> Eoin Keary
> Owasp Global Board+353 87 977 2988
>
>
> On 3 Sep 2012, at 17:58, Jim Manico <jim.manico at owasp.org> <jim.manico at owasp.org> wrote:
>
>
>  I want to write a Cheat-sheet on Clickjacking defense.
>
> I was thinking of just discussing the different framing blocking headers....
>
> // to prevent all framing of this content 
>
> response.addHeader( "X-FRAME-OPTIONS", "DENY" );
>
> // to allow framing of this content only by this site
> response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
>
> // to allow framing from a specific domain
> response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
>
> ...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.
>
> What do you think, any thoughts on this topic?
>
> Cheers folks,
>
> Jim Manico
> OWASP Volunteer(808) 652-3805
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120904/2b12a6ef/attachment.html>


More information about the OWASP-Leaders mailing list