Vulnerabilitats inherents a la web actual
 — Classificat com a: Seguretat — Comentari (0) — Lectures: 0 | 26 setembre 2008 |
Un dels missatges més interessants que he vist en molt de temps: Dealing with UI redress vulnerabilities inherent to the current web
For a couple of months now, along with a number of my colleagues at Google, we were investigating a security problem that we feel is very difficult or impossible to avoid on application side, and might be best addressed on HTML or HTTP level in contemporary browsers. These problems had recently gained some mainstream attention, and so we hoped to discuss potential solutions, and perhaps gain some traction for long-term fixes. Problem definition: a malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as "delete all items", "click to add Bob as a friend", etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it. Although the examples above are naive, this is clearly a problem for a good number of modern, complex web applications. Practical, real-world examples of such "UI redress" attacks were demonstrated in the past, and recently resurfaced on an OWASP conference (under the name of "clickjacking"); some references include: * http://www.thespanner.co.uk/2008/02/11/csrf-chat/ * https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference * http://lists.immunitysec.com/pipermail/dailydave/2008-September/005356.html
