busting-frame-busting-a-study-of-clickjacking-vulnerabilities-on-popular-sites-slides

Recommendations

Info

Survey Conditional Statements if (top != self) if (top.location != self.location) if (top.location != location) if (parent.<strong>frame</strong>s.length > 0) if (window != top) if (window.top !== window.self) if (window.self != window.top) if (parent && parent != window) if (parent && parent.<strong>frame</strong>s && parent.<strong>frame</strong>s.length>0) if((self.parent&& !(self.parent===self))&& (self.parent.<strong>frame</strong>s.length!=0))
Counter-Action Statements top.location = self.location top.location.href = document.location.href top.location.href = self.location.href top.location.replace(self.location) top.location.href = window.location.href top.location.replace(document.location) top.location.href = window.location.href top.location.href = "URL" document.write(’’) top.location = location top.location.replace(document.location) top.location.replace(’URL’) top.location.href = document.location top.location.replace(window.location.href) top.location.href = location.href self.parent.location = document.location parent.location.href = self.document.location top.location.href = self.location top.location = window.location top.location.replace(window.location.pathname) window.top.location = window.self.location setTimeout(function(){document.body.innerHTML=’’;},1); window.self.onload = function(evt){document.body.innerHTML=’’;} var url = window.location.href; top.location.replace(url)
Page 2 and 3: What is frame <str
Page 4 and 5: What is frame <str
Page 6 and 7: Why frame
Page 8 and 9: Clickjacking 2.0 (Paul Stone, BHEU
Page 10 and 11: Obfuscation/Packing �
Page 14 and 15: All frame
Page 16 and 17: Courtesy of Walmar
Page 18 and 19: Courtesy of if (wi
Page 20 and 21: Courtesy of if (se
Page 22 and 23: Strategic Relationship? Norweigan S
Page 24 and 25: Courtesy of try{ A
Page 26 and 27: Referrer = Funky Stuff Many attacks
Page 28 and 29: Courtesy of Facebo
Page 30 and 31: Facebook - Ray of
Page 32 and 33: Courtesy of many i
Page 34 and 35: Descendent Policy • Introduced in
Page 36 and 37: Location Clobbering IE 7: IE 7: var
Page 38 and 39: Asking Nicely
Page 40 and 41: • IE 8: Restricted zones Javascr
Page 42 and 43: Reflective XSS filters Can be used
Page 44 and 45: X-Frames-Options (IE8) • HTTP hea
Page 46 and 47: Content Security Policy (FF) • Al
Page 48 and 49: … a little bit more. These sites
Page 50 and 51: No, they generally don’t… Site
Page 52: Questions? rydstedt@stanford.edu

busting-frame-busting-a-study-of-clickjacking-vulnerabilities-on-popular-sites-slides

Create successful ePaper yourself

Delete template?

Save as template?