[Owasp-leaders] Clickjacking Defense

Neil Matatall neil at owasp.org
Tue Sep 4 22:29:22 UTC 2012


I'd like to see a blurb that says "require a confirmation or otherwise
two-step process" as an option - browser agnostic, fairly easy to secure,
and UX folk love it (sarcasm).

On Tue, Sep 4, 2012 at 3:16 PM, Erlend Oftedal <Erlend.Oftedal at bekk.no>wrote:

>  That's great news!
>
> Erlend
>  ------------------------------
> From: Tobias
> Sent: 04.09.2012 19:00
> To: Erlend Oftedal
> Cc: eoin.keary at owasp.org; jim.manico at owasp.org; eoinkeary at gmail.com;
> owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Clickjacking Defense
>
>
>  Hi Erlend,
> FYI: actually we are currently working on rolling the "Allow-From" into
> the next version of XFO for all browsers, which in this case then will be
> Frame-Options (without the "X-").
> An alternative route we currently analyse is to wrap FO into CSP, but
> there are some technical problems with that. Would expect all to be sorted
> and done by Q1 2013.
> Best regards, Tobias
>
> Ps.: the current XFO:
> http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00
> and the new FO
> http://tools.ietf.org/html/draft-ietf-websec-frame-options-00
>
>
>
> On 04/09/12 21:06, Erlend Oftedal wrote:
>
> I did a bit of research on X-frame-options a while back. At the time only
> IE supported Allow-from.
> That may still hold.
> http://erlend.oftedal.no/blog/tools/xframeoptions/
>
> Erlend
>
>   ------------------------------
> *Fra:* owasp-leaders-bounces at lists.owasp.org [
> owasp-leaders-bounces at lists.owasp.org] på vegne av Eoin [
> eoin.keary at owasp.org]
> *Sendt:* 4. september 2012 13:35
> *To:* Jim Manico
> *Cc:* Eoin Keary; owasp-leaders at lists.owasp.org
> *Emne:* Re: [Owasp-leaders] Clickjacking Defense
>
>  Sure not everyone is security savvy. They'll use older browsers!!
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 4 Sep 2012, at 08:59, Jim Manico <jim.manico at owasp.org> wrote:
>
>   It's an ineffective approach.  I'd prefer to add a section saying NOT
> to do it and will provide the Stanford article link as backup. Fair?
>
> PS: If you use an older browser you have much much bigger problems....
>
> --
> Jim Manico
> (808) 652-3805
>
> On Sep 4, 2012, at 8:44 AM, Eoin Keary <eoinkeary at gmail.com> wrote:
>
>   So we should mention that?? It is still a common approach to cover
> older browsers.
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 3 Sep 2012, at 21:35, Jim Manico <jim.manico at owasp.org> wrote:
>
>   It's so easily evadable ...
>
> http://seclab.stanford.edu/websec/framebusting/framebust.pdf
>
> ... I no longer recommend the technique. If there IS a good JavaScript
> framebusting technique I'm all ears...
>
> Jim Manico
> OWASP Volunteer
> (808) 652-3805
>
>
>
>  The jscript stuff still makes it a little header. There are also some sorta effective solutions. Should you not include them?
>
> Eoin Keary
> Owasp Global Board+353 87 977 2988
>
>
> On 3 Sep 2012, at 17:58, Jim Manico <jim.manico at owasp.org> <jim.manico at owasp.org> wrote:
>
>
>  I want to write a Cheat-sheet on Clickjacking defense.
>
> I was thinking of just discussing the different framing blocking headers....
>
> // to prevent all framing of this content 
>
> response.addHeader( "X-FRAME-OPTIONS", "DENY" );
>
> // to allow framing of this content only by this site
> response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
>
> // to allow framing from a specific domain
> response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
>
> ...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.
>
> What do you think, any thoughts on this topic?
>
> Cheers folks,
>
> Jim Manico
> OWASP Volunteer(808) 652-3805
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120904/59c17a86/attachment-0001.html>


More information about the OWASP-Leaders mailing list