Who do you trust? Cross-domain content extraction with Clickjacking
Overview Today I’ll illustrate how it’s possible to extract sensitive data via Clickjacking by taking advantage of some liberal framing behaviors in Firefox coupled with a X-Frame-Options:Allow header that forms an implicit trust relationship between two sites. This Clickjacking POC takes advantage of several site and browser behaviors including: Etsy.com set an X-Frames-Options: Allow header when accessed directly from a search engine query result Microsoft Bing search engine allows framing…
Read more...Tags:Bing , Clickjacking , content extraction , cross domain , Etsy , Firefox , trust , X-Frame-Options
When is Clickjacking NOT a concern?
are closed
According to Microsoft, when it involves more than 1 click. That’s the feedback I received when I recently submitted a Clickjacking bug to Microsoft’s Security team. This particular Clickjacking bug, on an authenticated portion of the site, could induce a victim to unknowingly change their account privacy settings. The problem, according to Microsoft, is that it requires a minimum of two clicks; one to change the privacy setting and one…
Read more...Tags:bug bounty , Clickjacking , Microsoft , web security , X-Frame-Options , XFO
are closed