Versi per a telfons mbils

L'home dibuixatL’home dibuixat

«Jo sóc l'home dibuixat, el que no té carn ni cos.
D'homes dibuixats com jo se n'aprofiten els grans»
Jaume Sisa - L'home dibuixat
Índex *SeguretatCriptografiaAnàlisi ForenseMalwarePrivadesa *EinesGadgetsInternetLinuxWindows *Telèfons mòbils *CiènciaCultura *Fotobloc

Vulnerabilitats inherents a la web actual

26 setembre 2008 —   — Classificat com a: SeguretatComentaris (0)

Un dels missatges més interessants que he vist en molt de temps: Dealing with UI redress vulnerabilities inherent to the current web

For a couple of months now, along with a number of my colleagues at
Google, we were investigating a security problem that we feel is very
difficult or impossible to avoid on application side, and might be best
addressed on HTML or HTTP level in contemporary browsers. These problems
had recently gained some mainstream attention, and so we hoped to discuss
potential solutions, and perhaps gain some traction for long-term fixes.

Problem definition: a malicious page in domain A may create an IFRAME
pointing to an application in domain B, to which the user is currently
authenticated with cookies. The top-level page may then cover portions of
the IFRAME with other visual elements to seamlessly hide everything but a
single UI button in domain B, such as "delete all items", "click to add
Bob as a friend", etc. It may then provide own, misleading UI that implies
that the button serves a different purpose and is a part of site A,
inviting the user to click it. Although the examples above are naive, this
is clearly a problem for a good number of modern, complex web
applications.

Practical, real-world examples of such "UI redress" attacks were
demonstrated in the past, and recently resurfaced on an OWASP conference
(under the name of "clickjacking"); some references include:

  * http://www.thespanner.co.uk/2008/02/11/csrf-chat/
  * https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
  * http://lists.immunitysec.com/pipermail/dailydave/2008-September/005356.html

Entrades aleatòries

Carregant…

Publicitat

No hi ha comentaris »

Encara no hi ha comentaris.

Canal RSS pels comentaris a aquesta entrada. TrackBack URL

Deixa un comentari

 

 

Switch to our mobile site