[Owasp-leaders] Clickjacking Defense

Michael Coates michael.coates at owasp.org
Wed Sep 5 22:19:41 UTC 2012


Here's the info on browser support for X-frame-options.  I also second the
idea of adding a section on "Ineffective Approaches" which talks about
frame busting scripts.


https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header#Browser_compatibility

Browser compatibility  Browser Lowest version   Internet Explorer 8.0  Firefox
(Gecko) 3.6.9 (1.9.2.9)  Opera 10.50  Safari 4.0  Chrome 4.1.249.1042




- Michael Coates




On Tue, Sep 4, 2012 at 3:29 PM, Neil Matatall <neil at owasp.org> wrote:

> I'd like to see a blurb that says "require a confirmation or otherwise
> two-step process" as an option - browser agnostic, fairly easy to secure,
> and UX folk love it (sarcasm).
>
> On Tue, Sep 4, 2012 at 3:16 PM, Erlend Oftedal <Erlend.Oftedal at bekk.no>wrote:
>
>>  That's great news!
>>
>> Erlend
>>  ------------------------------
>> From: Tobias
>> Sent: 04.09.2012 19:00
>> To: Erlend Oftedal
>> Cc: eoin.keary at owasp.org; jim.manico at owasp.org; eoinkeary at gmail.com;
>> owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] Clickjacking Defense
>>
>>
>>  Hi Erlend,
>> FYI: actually we are currently working on rolling the "Allow-From" into
>> the next version of XFO for all browsers, which in this case then will be
>> Frame-Options (without the "X-").
>> An alternative route we currently analyse is to wrap FO into CSP, but
>> there are some technical problems with that. Would expect all to be sorted
>> and done by Q1 2013.
>> Best regards, Tobias
>>
>> Ps.: the current XFO:
>> http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00
>> and the new FO
>> http://tools.ietf.org/html/draft-ietf-websec-frame-options-00
>>
>>
>>
>> On 04/09/12 21:06, Erlend Oftedal wrote:
>>
>> I did a bit of research on X-frame-options a while back. At the time only
>> IE supported Allow-from.
>> That may still hold.
>> http://erlend.oftedal.no/blog/tools/xframeoptions/
>>
>> Erlend
>>
>>   ------------------------------
>> *Fra:* owasp-leaders-bounces at lists.owasp.org [
>> owasp-leaders-bounces at lists.owasp.org] på vegne av Eoin [
>> eoin.keary at owasp.org]
>> *Sendt:* 4. september 2012 13:35
>> *To:* Jim Manico
>> *Cc:* Eoin Keary; owasp-leaders at lists.owasp.org
>> *Emne:* Re: [Owasp-leaders] Clickjacking Defense
>>
>>  Sure not everyone is security savvy. They'll use older browsers!!
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 4 Sep 2012, at 08:59, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>   It's an ineffective approach.  I'd prefer to add a section saying NOT
>> to do it and will provide the Stanford article link as backup. Fair?
>>
>> PS: If you use an older browser you have much much bigger problems....
>>
>> --
>> Jim Manico
>> (808) 652-3805
>>
>> On Sep 4, 2012, at 8:44 AM, Eoin Keary <eoinkeary at gmail.com> wrote:
>>
>>   So we should mention that?? It is still a common approach to cover
>> older browsers.
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 3 Sep 2012, at 21:35, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>   It's so easily evadable ...
>>
>> http://seclab.stanford.edu/websec/framebusting/framebust.pdf
>>
>> ... I no longer recommend the technique. If there IS a good JavaScript
>> framebusting technique I'm all ears...
>>
>> Jim Manico
>> OWASP Volunteer
>> (808) 652-3805
>>
>>
>>
>>  The jscript stuff still makes it a little header. There are also some sorta effective solutions. Should you not include them?
>>
>> Eoin Keary
>> Owasp Global Board+353 87 977 2988
>>
>>
>> On 3 Sep 2012, at 17:58, Jim Manico <jim.manico at owasp.org> <jim.manico at owasp.org> wrote:
>>
>>
>>  I want to write a Cheat-sheet on Clickjacking defense.
>>
>> I was thinking of just discussing the different framing blocking headers....
>>
>> // to prevent all framing of this content 
>
>> response.addHeader( "X-FRAME-OPTIONS", "DENY" );
>>
>> // to allow framing of this content only by this site
>> response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
>>
>> // to allow framing from a specific domain
>> response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
>>
>> ...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.
>>
>> What do you think, any thoughts on this topic?
>>
>> Cheers folks,
>>
>> Jim Manico
>> OWASP Volunteer(808) 652-3805
>>
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120905/800c1f26/attachment-0001.html>


More information about the OWASP-Leaders mailing list