Everybody ping :) lukesun629@, you was interested in HTML5 security risks. Did you try this simple plugin to detect possible ClickJacking flaws?
On 04/03/2012 04:11 PM, Taras wrote: > Andres, > > what do you think about it? > > > 01.04.2012 21:36, Taras пишет: >> Hi, all! >> >> Just want to inform you that I have added very simple grep plugin [0] >> for possible ClickJacking [1] attack detection. Tests also have been >> added[2]. Principle of check is try to find X-Frame-Options header in >> response. If no such header then URL is vulnerable. Current TODO is to >> add cookie check because in wild world target of such attacks is action >> of **authorized** user in vulnerable web application. Comments are >> welcome! :) >> >>>> 1.ClickJacking& Phishing by mixing layers and iframe >>> We can code grep plugin to detect such flaws. >>> Logic is very simple - if response is text_or_html and hasn't >>> X-Frame-Options header then we can consider that such response is >>> vulnerable to framing -> ClickJacking [0]. I know about frame breaking >>> scripts but, imho, currently this header is the best solution. >> >> [0] >> http://w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/plugins/grep/clickJacking.py >> [1] https://www.owasp.org/index.php/Clickjacking >> [2] >> w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/extras/testEnv/webroot/w3af/grep/clickjacking/ >> > > -- Taras http://oxdef.info ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
