This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Clickjacking"

From OWASP
Jump to: navigation, search
(Created page with "Return to Periodic Table Working View == Clickjacking == === Root Cause Summary === User agent...")
 
m
Line 36: Line 36:
  
 
[[Clickjacking]]<BR>
 
[[Clickjacking]]<BR>
[https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options|X-Frame-Options Specification]
+
[https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options|X-Frame-Options Specification]<br>
 
[http://seclab.stanford.edu/websec/framebusting/framebust.pdf|Framebusting research and recommendation]
 
[http://seclab.stanford.edu/websec/framebusting/framebust.pdf|Framebusting research and recommendation]

Revision as of 19:35, 14 May 2013

Return to Periodic Table Working View

Clickjacking

Root Cause Summary

User agents allow target sites to be framed and mouse clicks to be intercepted/redirected to the target site. Users may believe they are clicking on a visible UI element, but their click is actually redirected to a different element on the target site.

Browser / Standards Solution

CSP should define a white list of domains which are allowed to load the site in a frame. Default should be SAMEORIGIN. Policy should allow custom rules for specific URLs within the site, to allow a subset of pages to have custom framing rules.

Perimeter Solution

None

Generic Framework Solution

The framework should provide a configurable white list for domains according to the requirements for the CSP standard. Until the CSP standard is finalized, the framework should use the white list rules in order to set the appropriate X-Frame-Options headers in each response.

The framework should detect the user-agent version; if the UA does not support CSP or XFO, the framework should inject the appropriate framebusting code automatically or redirect to a browser upgrade message if the desired policy cannot be implemented without CSP/XFO.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

Generic UI redressing may be too difficult to solve quickly, but would be a better long-term solution than framing policy rules alone.

References

Clickjacking
Specification
research and recommendation