Taras,
On Thu, Apr 19, 2012 at 4:09 PM, Taras <[email protected]> wrote:
> Hi, all!
>
> Fixed according Andres's comments. Now plugin reports complexly only one
> vulnerability.
Could you please explain me this comment? "# TODO need to check
here for auth cookie?!"
Instead of the following:
49 headers = response.getLowerCaseHeaders()
50 for header_name in headers:
51 if header_name == 'x-frame-options'\
52 and headers[header_name].lower() in ('deny',
'sameorigin'):
53 return
You could do something like:
headers = response.getLowerCaseHeaders()
x_frame_options = headers.get('x-frame-options', None)
if x_frame_options and x_frame_options in ('deny', 'sameorigin'):
return
That would be much faster than iterating over all headers since
python's dict object is VERY fast!
This is actually not true:
76 if self._total_count == self._vuln_count:
77 msg = 'The whole target '
78 msg += 'has no protection (X-Frame-Options header)
against ClickJacking attack'
If we analyze 5 (self._vuln_limit = 5) and those 5 don't have
protection, that doesn't mean that all don't implement it.
I would completely remove "self._vuln_limit" as it doesn't make
logical sense to only analyze "a section of the application" if we can
analyze all of it. Also, by removing "self._vuln_limit" you'll see
that the memory usage of "self._vulns = []" will grow linearly with
the application's size (if there is no protection) which is no good,
so I recommend using a temp_shelve.
Sorry if I'm being too strict, but I think we can do better than this :)
Regards,
>
> On 04/17/2012 02:00 AM, Andres Riancho wrote:
>>
>> Taras,
>>
>> On Fri, Apr 13, 2012 at 4:55 AM, Taras<[email protected]> wrote:
>>>
>>> Everybody ping :)
>>
>>
>> This is my review of the clickJacking plugin:
>>
>> * The httpResponse class has a getLowerCaseHeaders method which
>> you could find useful
>> * The plugin seems to have the correct logic for detecting
>> clickJacking
>> * ISSUE: If the site has 250 html/text pages and w3af performs 10
>> requestch, we'll end up with 2500 vulnerabilities in the KB, in other
>> words, there is no control over duplicate vulnerability reports.
>> Related to this issue, I think that the best thing to do here is to
>> summarize the findings. I would expect a plugin like this one to
>> report vulnerabilities in the following way:
>> - If none of the URLs implement protection, simply report
>> ONE vulnerability that says that. Low (maybe medium?) risk.
>> - If most of the URLs implement the protection but some
>> don't, report ONE vulnerability saying: "Most are protected, but x, y,
>> z, w are not". Low risk.
>> - If all URLs implement protection, don't report anything.
>>
>> What do you guys think?
>>
>>> lukesun629@, you was interested in HTML5 security risks. Did you try
>>> this simple plugin to detect possible ClickJacking flaws?
>>>
>>> On 04/03/2012 04:11 PM, Taras wrote:
>>>>
>>>> Andres,
>>>>
>>>> what do you think about it?
>>>>
>>>>
>>>> 01.04.2012 21:36, Taras пишет:
>>>>>
>>>>> Hi, all!
>>>>>
>>>>> Just want to inform you that I have added very simple grep plugin [0]
>>>>> for possible ClickJacking [1] attack detection. Tests also have been
>>>>> added[2]. Principle of check is try to find X-Frame-Options header in
>>>>> response. If no such header then URL is vulnerable. Current TODO is to
>>>>> add cookie check because in wild world target of such attacks is action
>>>>> of **authorized** user in vulnerable web application. Comments are
>>>>> welcome! :)
>>>>>
>>>>>>> 1.ClickJacking& Phishing by mixing layers and iframe
>>>>>>
>>>>>> We can code grep plugin to detect such flaws.
>>>>>> Logic is very simple - if response is text_or_html and hasn't
>>>>>> X-Frame-Options header then we can consider that such response is
>>>>>> vulnerable to framing -> ClickJacking [0]. I know about frame
>>>>>> breaking
>>>>>> scripts but, imho, currently this header is the best solution.
>>>>>
>>>>>
>>>>> [0]
>>>>>
>>>>> http://w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/plugins/grep/clickJacking.py
>>>>> [1] https://www.owasp.org/index.php/Clickjacking
>>>>> [2]
>>>>>
>>>>> w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/extras/testEnv/webroot/w3af/grep/clickjacking/
>>>>>
>>>>
>
>
>
> --
> Taras
> http://oxdef.info
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
