Clickjacking (Maybe? Sort of?) Speculation
Late last week, I wrote a couple blog posts speculating about RSnake and Jeremiah Grossman's canceled OWASP talk. After a couple thousand page views, I figure I ought to mention it here. The first post is about evading pop-up blockers through click trickery, the second is a postulation of what the "Clickjacking" problem really is.
To put it simply, human eyeballs don't adhere to the same-origin policy.
I've been spending the morning experimenting some more, and I'm pretty certain now that these techniques can be used to create some pretty convincing phishing sites.
At any rate, it would appear that sites can protect themselves with a frame busting snippet on every page with remotely useful forms. Requiring code like this duplicated all other the place sucks, of course. Practically, though, it's not a whole lot different from the ubiquitous browser detection snippets that litter the Internet.
To put it simply, human eyeballs don't adhere to the same-origin policy.
I've been spending the morning experimenting some more, and I'm pretty certain now that these techniques can be used to create some pretty convincing phishing sites.
At any rate, it would appear that sites can protect themselves with a frame busting snippet on every page with remotely useful forms. Requiring code like this duplicated all other the place sucks, of course. Practically, though, it's not a whole lot different from the ubiquitous browser detection snippets that litter the Internet.
Labels: clickjacking, iframes, javascript, phishing
posted by todb at 1:55 PM
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home