Taras,
On Fri, Apr 13, 2012 at 4:55 AM, Taras <ox...@oxdef.info> wrote:
> Everybody ping :)
This is my review of the clickJacking plugin:
* The httpResponse class has a getLowerCaseHeaders method which
you could find useful
* The plugin seems to have the correct logic for detecting clickJacking
* ISSUE: If the site has 250 html/text pages and w3af performs 10
requestch, we'll end up with 2500 vulnerabilities in the KB, in other
words, there is no control over duplicate vulnerability reports.
Related to this issue, I think that the best thing to do here is to
summarize the findings. I would expect a plugin like this one to
report vulnerabilities in the following way:
- If none of the URLs implement protection, simply report
ONE vulnerability that says that. Low (maybe medium?) risk.
- If most of the URLs implement the protection but some
don't, report ONE vulnerability saying: "Most are protected, but x, y,
z, w are not". Low risk.
- If all URLs implement protection, don't report anything.
What do you guys think?
> lukesun629@, you was interested in HTML5 security risks. Did you try
> this simple plugin to detect possible ClickJacking flaws?
>
> On 04/03/2012 04:11 PM, Taras wrote:
>> Andres,
>>
>> what do you think about it?
>>
>>
>> 01.04.2012 21:36, Taras пишет:
>>> Hi, all!
>>>
>>> Just want to inform you that I have added very simple grep plugin [0]
>>> for possible ClickJacking [1] attack detection. Tests also have been
>>> added[2]. Principle of check is try to find X-Frame-Options header in
>>> response. If no such header then URL is vulnerable. Current TODO is to
>>> add cookie check because in wild world target of such attacks is action
>>> of **authorized** user in vulnerable web application. Comments are
>>> welcome! :)
>>>
>>>>> 1.ClickJacking& Phishing by mixing layers and iframe
>>>> We can code grep plugin to detect such flaws.
>>>> Logic is very simple - if response is text_or_html and hasn't
>>>> X-Frame-Options header then we can consider that such response is
>>>> vulnerable to framing -> ClickJacking [0]. I know about frame breaking
>>>> scripts but, imho, currently this header is the best solution.
>>>
>>> [0]
>>> http://w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/plugins/grep/clickJacking.py
>>> [1] https://www.owasp.org/index.php/Clickjacking
>>> [2]
>>> w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/extras/testEnv/webroot/w3af/grep/clickjacking/
>>>
>>
>>
>
>
> --
> Taras
> http://oxdef.info
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
