Hi, all! Fixed according Andres's comments. Now plugin reports complexly only one vulnerability.
On 04/17/2012 02:00 AM, Andres Riancho wrote: > Taras, > > On Fri, Apr 13, 2012 at 4:55 AM, Taras<ox...@oxdef.info> wrote: >> Everybody ping :) > > This is my review of the clickJacking plugin: > > * The httpResponse class has a getLowerCaseHeaders method which > you could find useful > * The plugin seems to have the correct logic for detecting clickJacking > * ISSUE: If the site has 250 html/text pages and w3af performs 10 > requestch, we'll end up with 2500 vulnerabilities in the KB, in other > words, there is no control over duplicate vulnerability reports. > Related to this issue, I think that the best thing to do here is to > summarize the findings. I would expect a plugin like this one to > report vulnerabilities in the following way: > - If none of the URLs implement protection, simply report > ONE vulnerability that says that. Low (maybe medium?) risk. > - If most of the URLs implement the protection but some > don't, report ONE vulnerability saying: "Most are protected, but x, y, > z, w are not". Low risk. > - If all URLs implement protection, don't report anything. > > What do you guys think? > >> lukesun629@, you was interested in HTML5 security risks. Did you try >> this simple plugin to detect possible ClickJacking flaws? >> >> On 04/03/2012 04:11 PM, Taras wrote: >>> Andres, >>> >>> what do you think about it? >>> >>> >>> 01.04.2012 21:36, Taras пишет: >>>> Hi, all! >>>> >>>> Just want to inform you that I have added very simple grep plugin [0] >>>> for possible ClickJacking [1] attack detection. Tests also have been >>>> added[2]. Principle of check is try to find X-Frame-Options header in >>>> response. If no such header then URL is vulnerable. Current TODO is to >>>> add cookie check because in wild world target of such attacks is action >>>> of **authorized** user in vulnerable web application. Comments are >>>> welcome! :) >>>> >>>>>> 1.ClickJacking& Phishing by mixing layers and iframe >>>>> We can code grep plugin to detect such flaws. >>>>> Logic is very simple - if response is text_or_html and hasn't >>>>> X-Frame-Options header then we can consider that such response is >>>>> vulnerable to framing -> ClickJacking [0]. I know about frame breaking >>>>> scripts but, imho, currently this header is the best solution. >>>> >>>> [0] >>>> http://w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/plugins/grep/clickJacking.py >>>> [1] https://www.owasp.org/index.php/Clickjacking >>>> [2] >>>> w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/extras/testEnv/webroot/w3af/grep/clickjacking/ >>>> >>> -- Taras http://oxdef.info ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
