Andres, > This is my review of the clickJacking plugin: > > * The httpResponse class has a getLowerCaseHeaders method which > you could find useful Thanks, I will replace with getLowerCaseHeaders > * The plugin seems to have the correct logic for detecting clickJacking Great! =) > * ISSUE: If the site has 250 html/text pages and w3af performs 10 > requestch, we'll end up with 2500 vulnerabilities in the KB, in other > words, there is no control over duplicate vulnerability reports. > Related to this issue, I think that the best thing to do here is to > summarize the findings. I would expect a plugin like this one to > report vulnerabilities in the following way: > - If none of the URLs implement protection, simply report > ONE vulnerability that says that. Low (maybe medium?) risk. > - If most of the URLs implement the protection but some > don't, report ONE vulnerability saying: "Most are protected, but x, y, > z, w are not". Low risk. > - If all URLs implement protection, don't report anything. > > What do you guys think?
Agree, I will add this logic into the plugin. > >> lukesun629@, you was interested in HTML5 security risks. Did you try >> this simple plugin to detect possible ClickJacking flaws? >> >> On 04/03/2012 04:11 PM, Taras wrote: >>> Andres, >>> >>> what do you think about it? >>> >>> >>> 01.04.2012 21:36, Taras пишет: >>>> Hi, all! >>>> >>>> Just want to inform you that I have added very simple grep plugin [0] >>>> for possible ClickJacking [1] attack detection. Tests also have been >>>> added[2]. Principle of check is try to find X-Frame-Options header in >>>> response. If no such header then URL is vulnerable. Current TODO is to >>>> add cookie check because in wild world target of such attacks is action >>>> of **authorized** user in vulnerable web application. Comments are >>>> welcome! :) >>>> >>>>>> 1.ClickJacking& Phishing by mixing layers and iframe >>>>> We can code grep plugin to detect such flaws. >>>>> Logic is very simple - if response is text_or_html and hasn't >>>>> X-Frame-Options header then we can consider that such response is >>>>> vulnerable to framing -> ClickJacking [0]. I know about frame breaking >>>>> scripts but, imho, currently this header is the best solution. >>>> >>>> [0] >>>> http://w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/plugins/grep/clickJacking.py >>>> [1] https://www.owasp.org/index.php/Clickjacking >>>> [2] >>>> w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/extras/testEnv/webroot/w3af/grep/clickjacking/ >>>> >>> >>> >> >> >> -- >> Taras >> http://oxdef.info >> >> ------------------------------------------------------------------------------ >> For Developers, A Lot Can Happen In A Second. >> Boundary is the first to Know...and Tell You. >> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! >> http://p.sf.net/sfu/Boundary-d2dvs2 >> _______________________________________________ >> W3af-develop mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > -- Taras http://oxdef.info ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ W3af-develop mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-develop
