Re: [W3af-develop] [W3af-users] does w3af can scan the new vulnerabitiy HTML5 - ClickJacking attack detection

Fri, 13 Apr 2012 01:25:35 -0700 

*just saw the email , I will try ,tell you the result later !
*
On Fri, Apr 13, 2012 at 3:55 PM, Taras <ox...@oxdef.info> wrote:

> Everybody ping :)
>
> lukesun629@, you was interested in HTML5 security risks. Did you try this
> simple plugin to detect possible ClickJacking flaws?
>
> On 04/03/2012 04:11 PM, Taras wrote:
>
>> Andres,
>>
>> what do you think about it?
>>
>>
>> 01.04.2012 21:36, Taras пишет:
>>
>>> Hi, all!
>>>
>>> Just want to inform you that I have added very simple grep plugin [0]
>>> for possible ClickJacking [1] attack detection. Tests also have been
>>> added[2]. Principle of check is try to find X-Frame-Options header in
>>> response. If no such header then URL is vulnerable. Current TODO is to
>>> add cookie check because in wild world target of such attacks is action
>>> of **authorized** user in vulnerable web application. Comments are
>>> welcome! :)
>>>
>>>  1.ClickJacking&   Phishing by mixing layers and iframe
>>>>>
>>>> We can code grep plugin to detect such flaws.
>>>> Logic is very simple - if response is text_or_html and hasn't
>>>> X-Frame-Options header then we can consider that such response is
>>>> vulnerable to framing ->   ClickJacking [0]. I know about frame breaking
>>>> scripts but, imho, currently this header is the best solution.
>>>>
>>>
>>> [0]
>>> http://w3af.svn.sourceforge.**net/viewvc/w3af/branches/csrf/**
>>> plugins/grep/clickJacking.py<http://w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/plugins/grep/clickJacking.py>
>>> [1] 
>>> https://www.owasp.org/index.**php/Clickjacking<https://www.owasp.org/index.php/Clickjacking>
>>> [2]
>>> w3af.svn.sourceforge.net/**viewvc/w3af/branches/csrf/**
>>> extras/testEnv/webroot/w3af/**grep/clickjacking/<http://w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/extras/testEnv/webroot/w3af/grep/clickjacking/>
>>>
>>>
>>
>>
>
> --
> Taras
> http://oxdef.info
>



-- 
FIT1-213
Department of Computer Science
Tsinghua University, Beijing, 100084
http://about.me/anakin/bio

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to