[Owasp-leaders] Clickjacking Defense

Jim Manico jim.manico at owasp.org
Tue Sep 4 07:59:04 UTC 2012


It's an ineffective approach.  I'd prefer to add a section saying NOT to do
it and will provide the Stanford article link as backup. Fair?

PS: If you use an older browser you have much much bigger problems....

--
Jim Manico
(808) 652-3805

On Sep 4, 2012, at 8:44 AM, Eoin Keary <eoinkeary at gmail.com> wrote:

So we should mention that?? It is still a common approach to cover older
browsers.

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 3 Sep 2012, at 21:35, Jim Manico <jim.manico at owasp.org> wrote:

 It's so easily evadable ...

 http://seclab.stanford.edu/websec/framebusting/framebust.pdf

... I no longer recommend the technique. If there IS a good JavaScript
framebusting technique I'm all ears...

Jim Manico
OWASP Volunteer
(808) 652-3805



 The jscript stuff still makes it a little header. There are also some
sorta effective solutions. Should you not include them?

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 3 Sep 2012, at 17:58, Jim Manico <jim.manico at owasp.org>
<jim.manico at owasp.org> wrote:


 I want to write a Cheat-sheet on Clickjacking defense.

I was thinking of just discussing the different framing blocking headers....

// to prevent all framing of this content 
>
response.addHeader( "X-FRAME-OPTIONS", "DENY" );

// to allow framing of this content only by this site
response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );

// to allow framing from a specific domain
response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );

...and call it a day. I do not want to recommend manual framebreaking
JavaScript, it's completely ineffective and is easily evaded.

What do you think, any thoughts on this topic?

Cheers folks,

Jim Manico
OWASP Volunteer
(808) 652-3805

_______________________________________________
OWASP-Leaders mailing
listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120904/e115f6ca/attachment.html>


More information about the OWASP-Leaders mailing list