[Owasp-leaders] Clickjacking Defense

Eoin eoin.keary at owasp.org
Tue Sep 4 11:35:38 UTC 2012


Sure not everyone is security savvy. They'll use older browsers!!

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 4 Sep 2012, at 08:59, Jim Manico <jim.manico at owasp.org> wrote:

> It's an ineffective approach.  I'd prefer to add a section saying NOT to do it and will provide the Stanford article link as backup. Fair?
> 
> PS: If you use an older browser you have much much bigger problems....
> 
> --
> Jim Manico
> (808) 652-3805
> 
> On Sep 4, 2012, at 8:44 AM, Eoin Keary <eoinkeary at gmail.com> wrote:
> 
>> So we should mention that?? It is still a common approach to cover older browsers.
>> 
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>> 
>> 
>> On 3 Sep 2012, at 21:35, Jim Manico <jim.manico at owasp.org> wrote:
>> 
>>> It's so easily evadable ...
>>> 
>>> http://seclab.stanford.edu/websec/framebusting/framebust.pdf
>>> 
>>> ... I no longer recommend the technique. If there IS a good JavaScript framebusting technique I'm all ears...
>>> 
>>> Jim Manico
>>> OWASP Volunteer
>>> (808) 652-3805
>>> 
>>> 
>>> 
>>>> The jscript stuff still makes it a little header. There are also some sorta effective solutions. Should you not include them?
>>>> 
>>>> Eoin Keary
>>>> Owasp Global Board
>>>> +353 87 977 2988
>>>> 
>>>> 
>>>> On 3 Sep 2012, at 17:58, Jim Manico <jim.manico at owasp.org> wrote:
>>>> 
>>>>> I want to write a Cheat-sheet on Clickjacking defense.
>>>>> 
>>>>> I was thinking of just discussing the different framing blocking headers....
>>>>> 
>>>>> // to prevent all framing of this content 
>>>>> > 
>>>>> response.addHeader( "X-FRAME-OPTIONS", "DENY" ); 
>>>>> 
>>>>> // to allow framing of this content only by this site 
>>>>> response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
>>>>> 
>>>>> // to allow framing from a specific domain
>>>>> response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" ); 
>>>>> 
>>>>> ...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.
>>>>> 
>>>>> What do you think, any thoughts on this topic?
>>>>> 
>>>>> Cheers folks,
>>>>> 
>>>>> Jim Manico
>>>>> OWASP Volunteer
>>>>> (808) 652-3805
>>>>> 
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120904/850b3327/attachment.html>


More information about the OWASP-Leaders mailing list