Andres, what do you think about it?
01.04.2012 21:36, Taras пишет: > Hi, all! > > Just want to inform you that I have added very simple grep plugin [0] > for possible ClickJacking [1] attack detection. Tests also have been > added[2]. Principle of check is try to find X-Frame-Options header in > response. If no such header then URL is vulnerable. Current TODO is to > add cookie check because in wild world target of such attacks is action > of **authorized** user in vulnerable web application. Comments are > welcome! :) > >>> 1.ClickJacking& Phishing by mixing layers and iframe >> We can code grep plugin to detect such flaws. >> Logic is very simple - if response is text_or_html and hasn't >> X-Frame-Options header then we can consider that such response is >> vulnerable to framing -> ClickJacking [0]. I know about frame breaking >> scripts but, imho, currently this header is the best solution. > > [0] > http://w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/plugins/grep/clickJacking.py > [1] https://www.owasp.org/index.php/Clickjacking > [2] > w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/extras/testEnv/webroot/w3af/grep/clickjacking/ > -- Taras http://oxdef.info ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
