Your security, networking, programming, and application news source.

Saturday, September 27, 2008



  Clickjacking is the buzz word for the week. Robert “RSnake” Hansen and Jeremiah Grossman had planned a presentation on clickjacking at the <world OWASP conference in New York>. After sharing the information with Adobe they were <asked to delay> releasing of details because of it's impact on one of their products.

  Clickjacking is underappreciated, but well known. Traditionally JavaScript had many implications in this area, but this does not require JavaScript. This zero day is purported as a fundamental flaw in how browsers handle web pages that affects all (or most all?) graphical browsers. From <Jeremiah Grossman on his blog>, "At the time, we believed our discoveries were more in line with generic Web browsers behavior, not traditional 'exploits,' and that guarding against clickjacking was largely the browser vendors' responsibility."

It's been said by many people that turning off JavaScript will not prevent this attack. The Firefox plugin/add-on <NoScript> does much more than micro-managing JavaScript. <ZDNet's Blog> posted the following email from <Firefox Noscript>:

Hi Ryan,
  I’ve seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
  I had access to detailed information about how this attack works and I can tell you the following:
  1. It’s really scary
  2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
  3. For 100% protection by NoScript, you need to check the “Plugins|Forbid <IFRAME>” option.

Through <Jeremiah Grossman's blog> (referred to in the email above) and <Robert Hansen's blog at> some information about the zero day can be found, but it seems the rest of the details have been kept pretty tight.

<Breaking Point Systems> has been speculating on this vulnerability and posted <source to some forms of web jacking>. Later they realized that these weren't exactly the zero day and then posted this <proof of concept "IFrame Trick"> which seems to fit the details of the vulnerability.

No comments:

Post a Comment