Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: Clickjacking Prevention
Posted by: p0deje
Date: March 07, 2010 12:05AM

even though using comment like <!-- blah-blah --> worked in simple HTML file, when I added it to drupal, document.writing wasn't stopped by this comment. I had to change comment to <! blah-blah --> and that way it worked in all major browsers

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: March 07, 2010 12:16PM

explain me
<script>
if (top === self) {
  document.write("<!--");
}
</script>
<style>
body {
  display: none; 
}
</style>
<! stop document writing -->
this trick is useful because usual framebuster, which is a particular script, can be disabled with XSS filter

but you say that stylesheet can be disabled with XSS filter
then what's the deal of this trick if css that hides body can be disabled?

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: sirdarckcat
Date: March 07, 2010 03:11PM

if your website has a ( in the code somewhere then you can disable it eg.

<style>
body{
....
</style>
....
bla bla bla (hello) bla bla bla


the attacker can do

<style>......(hello)


and style is converted to <st#le> and the CSS is disabled

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: March 09, 2010 09:01AM

can you point me to some doc about disabling JS/CSS selectively via XSS filters?
google didn't help me a lot

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: sirdarckcat
Date: March 10, 2010 03:36AM

yeah, http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
check the references too, kuza55 was the first one to talk about that

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: March 18, 2010 11:15AM

I've decided not to create a new thread for this, cause it's about Clickjacking.

I had a quick talk with Giorgio Maone, because it looked wrong for me that ClearClick bypasses clickjacking if it's done within same domain. He told that there is no precedent of same-domain Clickjacking attack except related to plugin object. Cross-domain is a one of the main concepts of Clickjacking/UI Redressing.

But still I don't get it. For example, we have some big social network site with no clickjacking defense. It allows to post <object> because of YouTube. So attacker creates a post with <object style="opacity: 0" type="text/html" data="http://www.socialnetwork.com/video.php?id=123"> and some picture of cool naked girl with text "Click my tits to view size them" Then, when anybody sees this post and clicks, he adds 5-star rating to the video.

Yes, I understand that this is a school and ideal example and no site would allow to post <object> in such circumstances. But if there is such site which besides vulnerable to http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html, then what?

I guess it's "Theoretically vulnerable" and want to "Know its reality" (c)

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: sirdarckcat
Date: March 20, 2010 09:50PM

if they allow u to put <object> they are on bigger problems already.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: March 21, 2010 01:38PM

I guess you are talking about XSS, aren't you?
What if they use a very tough sandbox and filtering?

However, I've got it - this kind of attack is supposed to be incredible, because other more serious vectors will occur in such circumstances. Thanks :)

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: Bullet
Date: February 07, 2011 04:58AM

Comitari products protects against different client side web attacks; ClickJacking, XSS, CSRF, Phishing, File Stealing via browser, Buffer Overflow and others.

The interesting thing (that relevant for this post) is that their product:
1) Protects against ClickJacking on all IE versions (IE6, IE7, IE8, IE9 beta) in all ClickJacking variants (Dynamic iFrame's properties like CSS, URL and some others techniques that today widely exploited).
2) The XSS engine protects against XSS attacks on client side and CLOSES IE8's XSS filter abusing option by blocking XSS attacks before IE8 XSS filter trying to match it on response.

Link to website: http://www.comitari.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: Albino
Date: February 08, 2011 12:33PM

Maybe this is a cunning attempt to trick a slacker into hacking comitari.

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: Bullet
Date: February 08, 2011 01:41PM

Albino, I have tried bypass Comitari's full version product, but without any success - It blocked all XSS, ClickJacking, Phishing, CSRF attempts.

Btw, it blocks all attacks even before IE's XSS & phishing filters.

If you'll (If you'll get only the free version, so try bypass their CJ), please share it with us.



Edited 1 time(s). Last edit at 02/08/2011 01:43PM by Bullet.

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: Anonymous User
Date: February 11, 2011 08:29PM

Smoketest > words

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: Skyphire
Date: February 19, 2011 04:22PM

Quote

Maybe this is a cunning attempt to trick a slacker into hacking comitari.

I lolled.

Quote

Maude Lebowski: What do you do for recreation?
The Dude: Oh, the usual. I bowl. Drive around. The occasional acid flashback.

That's more like it.

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.