Google
Current archive: June 11, 2013
Who do you trust? Cross-domain content extraction with Clickjacking
Written on:June 11, 2013
Overview Today I’ll illustrate how it’s possible to extract sensitive data via Clickjacking by taking advantage of some liberal framing behaviors in Firefox coupled with a X-Frame-Options:Allow header that forms an implicit trust relationship between two sites. This Clickjacking POC takes advantage of several site and browser behaviors including: Etsy.com set an X-Frames-Options: Allow header when accessed directly from a search engine query result Microsoft Bing search engine allows framing…
Read more...In category: Web Security
Tags:Bing , Clickjacking , content extraction , cross domain , Etsy , Firefox , trust , X-Frame-Options
Tags:Bing , Clickjacking , content extraction , cross domain , Etsy , Firefox , trust , X-Frame-Options
are closed