[Owasp-leaders] Clickjacking Defense

Eoin eoin.keary at owasp.org
Wed Sep 5 22:59:51 UTC 2012


Cool.


Eoin Keary
Owasp Global Board
+353 87 977 2988


On 5 Sep 2012, at 23:19, Michael Coates <michael.coates at owasp.org> wrote:

> Here's the info on browser support for X-frame-options.  I also second the idea of adding a section on "Ineffective Approaches" which talks about frame busting scripts.
> 
> 
> https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header#Browser_compatibility
> 
> Browser compatibility
> 
> Browser	Lowest version
> Internet Explorer	8.0
> Firefox (Gecko)	3.6.9 (1.9.2.9)
> Opera	10.50
> Safari	4.0
> Chrome	4.1.249.1042
> 
> 
> 
> 
> 
> - Michael Coates
> 
> 
> 
> 
> On Tue, Sep 4, 2012 at 3:29 PM, Neil Matatall <neil at owasp.org> wrote:
> I'd like to see a blurb that says "require a confirmation or otherwise two-step process" as an option - browser agnostic, fairly easy to secure, and UX folk love it (sarcasm).  
> 
> On Tue, Sep 4, 2012 at 3:16 PM, Erlend Oftedal <Erlend.Oftedal at bekk.no> wrote:
> That's great news! 
> 
> Erlend
> From: Tobias
> Sent: 04.09.2012 19:00
> To: Erlend Oftedal
> Cc: eoin.keary at owasp.org; jim.manico at owasp.org; eoinkeary at gmail.com; owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Clickjacking Defense
> 
> 
> Hi Erlend, 
> FYI: actually we are currently working on rolling the "Allow-From" into the next version of XFO for all browsers, which in this case then will be Frame-Options (without the "X-"). 
> An alternative route we currently analyse is to wrap FO into CSP, but there are some technical problems with that. Would expect all to be sorted and done by Q1 2013. 
> Best regards, Tobias
> 
> Ps.: the current XFO: http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00
> and the new FO http://tools.ietf.org/html/draft-ietf-websec-frame-options-00
> 
> 
> 
> On 04/09/12 21:06, Erlend Oftedal wrote:
>> I did a bit of research on X-frame-options a while back. At the time only IE supported Allow-from.
>> That may still hold.
>> http://erlend.oftedal.no/blog/tools/xframeoptions/
>> 
>> Erlend
>> 
>> Fra: owasp-leaders-bounces at lists.owasp.org [owasp-leaders-bounces at lists.owasp.org] på vegne av Eoin [eoin.keary at owasp.org]
>> Sendt: 4. september 2012 13:35
>> To: Jim Manico
>> Cc: Eoin Keary; owasp-leaders at lists.owasp.org
>> Emne: Re: [Owasp-leaders] Clickjacking Defense
>> 
>> Sure not everyone is security savvy. They'll use older browsers!!
>> 
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>> 
>> 
>> On 4 Sep 2012, at 08:59, Jim Manico <jim.manico at owasp.org> wrote:
>> 
>>> It's an ineffective approach.  I'd prefer to add a section saying NOT to do it and will provide the Stanford article link as backup. Fair?
>>> 
>>> PS: If you use an older browser you have much much bigger problems....
>>> 
>>> --
>>> Jim Manico
>>> (808) 652-3805
>>> 
>>> On Sep 4, 2012, at 8:44 AM, Eoin Keary <eoinkeary at gmail.com> wrote:
>>> 
>>>> So we should mention that?? It is still a common approach to cover older browsers.
>>>> 
>>>> Eoin Keary
>>>> Owasp Global Board
>>>> +353 87 977 2988
>>>> 
>>>> 
>>>> On 3 Sep 2012, at 21:35, Jim Manico <jim.manico at owasp.org> wrote:
>>>> 
>>>>> It's so easily evadable ...
>>>>> 
>>>>> http://seclab.stanford.edu/websec/framebusting/framebust.pdf
>>>>> 
>>>>> ... I no longer recommend the technique. If there IS a good JavaScript framebusting technique I'm all ears...
>>>>> 
>>>>> Jim Manico
>>>>> OWASP Volunteer
>>>>> (808) 652-3805
>>>>> 
>>>>> 
>>>>> 
>>>>>> The jscript stuff still makes it a little header. There are also some sorta effective solutions. Should you not include them?
>>>>>> 
>>>>>> Eoin Keary
>>>>>> Owasp Global Board
>>>>>> +353 87 977 2988
>>>>>> 
>>>>>> 
>>>>>> On 3 Sep 2012, at 17:58, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>> 
>>>>>>> I want to write a Cheat-sheet on Clickjacking defense.
>>>>>>> 
>>>>>>> I was thinking of just discussing the different framing blocking headers....
>>>>>>> 
>>>>>>> // to prevent all framing of this content 
>>>>>>> > 
>>>>>>> response.addHeader( "X-FRAME-OPTIONS", "DENY" ); 
>>>>>>> 
>>>>>>> // to allow framing of this content only by this site 
>>>>>>> response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
>>>>>>> 
>>>>>>> // to allow framing from a specific domain
>>>>>>> response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" ); 
>>>>>>> 
>>>>>>> ...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.
>>>>>>> 
>>>>>>> What do you think, any thoughts on this topic?
>>>>>>> 
>>>>>>> Cheers folks,
>>>>>>> 
>>>>>>> Jim Manico
>>>>>>> OWASP Volunteer
>>>>>>> (808) 652-3805
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> 
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120905/cb2fbb9c/attachment.html>


More information about the OWASP-Leaders mailing list