[Owasp-leaders] Clickjacking Defense

Erlend Oftedal Erlend.Oftedal at BEKK.no
Tue Sep 4 13:06:15 UTC 2012

I did a bit of research on X-frame-options a while back. At the time only IE supported Allow-from.
That may still hold.


Fra: owasp-leaders-bounces at lists.owasp.org [owasp-leaders-bounces at lists.owasp.org] på vegne av Eoin [eoin.keary at owasp.org]
Sendt: 4. september 2012 13:35
To: Jim Manico
Cc: Eoin Keary; owasp-leaders at lists.owasp.org
Emne: Re: [Owasp-leaders] Clickjacking Defense

Sure not everyone is security savvy. They'll use older browsers!!

Eoin Keary
Owasp Global Board
+353 87 977 2988

On 4 Sep 2012, at 08:59, Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>> wrote:

It's an ineffective approach.  I'd prefer to add a section saying NOT to do it and will provide the Stanford article link as backup. Fair?

PS: If you use an older browser you have much much bigger problems....

Jim Manico
(808) 652-3805

On Sep 4, 2012, at 8:44 AM, Eoin Keary <eoinkeary at gmail.com<mailto:eoinkeary at gmail.com>> wrote:

So we should mention that?? It is still a common approach to cover older browsers.

Eoin Keary
Owasp Global Board
+353 87 977 2988

On 3 Sep 2012, at 21:35, Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>> wrote:

It's so easily evadable ...


... I no longer recommend the technique. If there IS a good JavaScript framebusting technique I'm all ears...

Jim Manico
OWASP Volunteer
(808) 652-3805

The jscript stuff still makes it a little header. There are also some sorta effective solutions. Should you not include them?

Eoin Keary
Owasp Global Board
+353 87 977 2988

On 3 Sep 2012, at 17:58, Jim Manico <jim.manico at owasp.org><mailto:jim.manico at owasp.org> wrote:

I want to write a Cheat-sheet on Clickjacking defense.

I was thinking of just discussing the different framing blocking headers....

// to prevent all framing of this content 
response.addHeader( "X-FRAME-OPTIONS", "DENY" );

// to allow framing of this content only by this site
response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );

// to allow framing from a specific domain
response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );

...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.

What do you think, any thoughts on this topic?

Cheers folks,

Jim Manico
OWASP Volunteer
(808) 652-3805

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120904/a75a6ed5/attachment-0001.html>

More information about the OWASP-Leaders mailing list