[Owasp-leaders] Clickjacking Defense

Jason Li jason.li at owasp.org
Thu Sep 6 00:30:49 UTC 2012


To be clear, neither August nor I said that the frame-busting script is
bulletproof.

In our private exchange, you insisted that you had a proof of concept to
evade the script and we simply asked you to share the information. As I
said in that exchange (verbatim), if there's an exploitable problem in the
widely recommended best practice, then let's get it out there so those
organizations can work in a situationally-aware environment.

I agree with the notion that certain frame-busting scripts are woefully
inadequate. This point is widely known and highlighted in the commonly
cited Stanford Busting Frame Busting paper. A comprehensive cheat sheet
should most definitely warn readers about these types of simple but broken
techniques.

The reality though is that there are lots of organizations out there that
have no choice but to support users that are using older browsers that
don't support modern headers. A comprehensive clickjacking cheat sheet
should have something for them too.

-Jason

On Wed, Sep 5, 2012 at 7:24 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I share in this opinion, Michael.
>
> However, I've been talking to August Detlefsen and Jason Li and they both
> feel that their frame-busting script is bulletproof.
>
> If anyone can find a way to circumvent:
>
> https://www.codemagi.com/blog/post/194
>
> ... I'll send you a bottle of really good Jameson (if you are over 21).
>
> Unless someone can come up with an evasion to this frame-busting JS/CSS
> control, I'm going to refer to it in the cheat sheet.
>
> •throws down the gauntlet•
>
> Aloha,
>
> --
> Jim Manico
> (808) 652-3805
>
> On Sep 5, 2012, at 11:19 PM, Michael Coates <michael.coates at owasp.org>
> wrote:
>
> Here's the info on browser support for X-frame-options.  I also second the
> idea of adding a section on "Ineffective Approaches" which talks about
> frame busting scripts.
>
>
>
> https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header#Browser_compatibility
>
> Browser compatibility  Browser Lowest version   Internet Explorer 8.0  Firefox
> (Gecko) 3.6.9 (1.9.2.9)  Opera 10.50  Safari 4.0  Chrome 4.1.249.1042
>
>
>
>
> - Michael Coates
>
>
>
>
> On Tue, Sep 4, 2012 at 3:29 PM, Neil Matatall <neil at owasp.org> wrote:
>
>> I'd like to see a blurb that says "require a confirmation or otherwise
>> two-step process" as an option - browser agnostic, fairly easy to secure,
>> and UX folk love it (sarcasm).
>>
>> On Tue, Sep 4, 2012 at 3:16 PM, Erlend Oftedal <Erlend.Oftedal at bekk.no>wrote:
>>
>>>  That's great news!
>>>
>>> Erlend
>>>  ------------------------------
>>> From: Tobias
>>> Sent: 04.09.2012 19:00
>>> To: Erlend Oftedal
>>> Cc: eoin.keary at owasp.org; jim.manico at owasp.org; eoinkeary at gmail.com;
>>> owasp-leaders at lists.owasp.org
>>> Subject: Re: [Owasp-leaders] Clickjacking Defense
>>>
>>>
>>>  Hi Erlend,
>>> FYI: actually we are currently working on rolling the "Allow-From" into
>>> the next version of XFO for all browsers, which in this case then will be
>>> Frame-Options (without the "X-").
>>> An alternative route we currently analyse is to wrap FO into CSP, but
>>> there are some technical problems with that. Would expect all to be sorted
>>> and done by Q1 2013.
>>> Best regards, Tobias
>>>
>>> Ps.: the current XFO:
>>> http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00
>>> and the new FO
>>> http://tools.ietf.org/html/draft-ietf-websec-frame-options-00
>>>
>>>
>>>
>>> On 04/09/12 21:06, Erlend Oftedal wrote:
>>>
>>> I did a bit of research on X-frame-options a while back. At the time
>>> only IE supported Allow-from.
>>> That may still hold.
>>> http://erlend.oftedal.no/blog/tools/xframeoptions/
>>>
>>> Erlend
>>>
>>>   ------------------------------
>>> *Fra:* owasp-leaders-bounces at lists.owasp.org [
>>> owasp-leaders-bounces at lists.owasp.org] på vegne av Eoin [
>>> eoin.keary at owasp.org]
>>> *Sendt:* 4. september 2012 13:35
>>> *To:* Jim Manico
>>> *Cc:* Eoin Keary; owasp-leaders at lists.owasp.org
>>> *Emne:* Re: [Owasp-leaders] Clickjacking Defense
>>>
>>>  Sure not everyone is security savvy. They'll use older browsers!!
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>
>>> On 4 Sep 2012, at 08:59, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>   It's an ineffective approach.  I'd prefer to add a section saying NOT
>>> to do it and will provide the Stanford article link as backup. Fair?
>>>
>>> PS: If you use an older browser you have much much bigger problems....
>>>
>>> --
>>> Jim Manico
>>> (808) 652-3805
>>>
>>> On Sep 4, 2012, at 8:44 AM, Eoin Keary <eoinkeary at gmail.com> wrote:
>>>
>>>   So we should mention that?? It is still a common approach to cover
>>> older browsers.
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>
>>> On 3 Sep 2012, at 21:35, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>   It's so easily evadable ...
>>>
>>> http://seclab.stanford.edu/websec/framebusting/framebust.pdf
>>>
>>> ... I no longer recommend the technique. If there IS a good JavaScript
>>> framebusting technique I'm all ears...
>>>
>>> Jim Manico
>>> OWASP Volunteer
>>> (808) 652-3805
>>>
>>>
>>>
>>>  The jscript stuff still makes it a little header. There are also some sorta effective solutions. Should you not include them?
>>>
>>> Eoin Keary
>>> Owasp Global Board+353 87 977 2988
>>>
>>>
>>> On 3 Sep 2012, at 17:58, Jim Manico <jim.manico at owasp.org> <jim.manico at owasp.org> wrote:
>>>
>>>
>>>  I want to write a Cheat-sheet on Clickjacking defense.
>>>
>>> I was thinking of just discussing the different framing blocking headers....
>>>
>>> // to prevent all framing of this content 
>
>>> response.addHeader( "X-FRAME-OPTIONS", "DENY" );
>>>
>>> // to allow framing of this content only by this site
>>> response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
>>>
>>> // to allow framing from a specific domain
>>> response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
>>>
>>> ...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.
>>>
>>> What do you think, any thoughts on this topic?
>>>
>>> Cheers folks,
>>>
>>> Jim Manico
>>> OWASP Volunteer(808) 652-3805
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120905/daceb12a/attachment.html>


More information about the OWASP-Leaders mailing list