L’home dibuixat

Un dels missatges més interessants que he vist en molt de temps: Dealing with UI redress vulnerabilities inherent to the current web

For a couple of months now, along with a number of my colleagues at
Google, we were investigating a security problem that we feel is very
difficult or impossible to avoid on application side, and might be best
addressed on HTML or HTTP level in contemporary browsers. These problems
had recently gained some mainstream attention, and so we hoped to discuss
potential solutions, and perhaps gain some traction for long-term fixes.

Problem definition: a malicious page in domain A may create an IFRAME
pointing to an application in domain B, to which the user is currently
authenticated with cookies. The top-level page may then cover portions of
the IFRAME with other visual elements to seamlessly hide everything but a
single UI button in domain B, such as "delete all items", "click to add
Bob as a friend", etc. It may then provide own, misleading UI that implies
that the button serves a different purpose and is a part of site A,
inviting the user to click it. Although the examples above are naive, this
is clearly a problem for a good number of modern, complex web
applications.

Practical, real-world examples of such "UI redress" attacks were
demonstrated in the past, and recently resurfaced on an OWASP conference
(under the name of "clickjacking"); some references include:

  * http://www.thespanner.co.uk/2008/02/11/csrf-chat/
  * https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
  * http://lists.immunitysec.com/pipermail/dailydave/2008-September/005356.html