busting-frame-busting-a-study-of-clickjacking-vulnerabilities-on-popular-sites-slides

Recommendations

Info

No, they generally don’t… Site URL Frame<strong>busting</strong> Facebook http://m.facebook.com/ YES MSN http://home.mobile.msn.com/ NO GMail http://m.gmail.com NO Baidu http://m.baidu.com NO Twitter http://mobile.twitter.com NO MegaVideo http://mobile.megavideo.com/ NO Tube8 http://m.tube8.com NO PayPal http://mobile.paypal.com NO USBank http://mobile.usbank.com NO First Interstate Bank http://firstinterstate.mobi NO NewEgg http://m.newegg.com/ NO MetaCafe http://m.metacafe.com/ NO RenRen http://m.renren.com/ NO MySpace http://m.myspace.com NO VKontakte http://pda.vkontakte.ru/ NO WellsFargo https://m.wf.com/ NO NyTimes http://m.nytimes.com Redirect E-Zine Articles http://m.ezinearticles.com Redirect
Summary • All <strong>frame</strong><strong>busting</strong> code out there can be broken across browsers in several different ways • Defenses are on the way, but not yet widely adopted • Relying on referrer is difficult • If JS is disabled, don’t render the page. • Framebust your mobile sites!
Page 2 and 3: What is frame <str
Page 4 and 5: What is frame <str
Page 6 and 7: Why frame
Page 8 and 9: Clickjacking 2.0 (Paul Stone, BHEU
Page 10 and 11: Obfuscation/Packing �
Page 12 and 13: Survey Conditional Statements if (t
Page 14 and 15: All frame
Page 16 and 17: Courtesy of Walmar
Page 18 and 19: Courtesy of if (wi
Page 20 and 21: Courtesy of if (se
Page 22 and 23: Strategic Relationship? Norweigan S
Page 24 and 25: Courtesy of try{ A
Page 26 and 27: Referrer = Funky Stuff Many attacks
Page 28 and 29: Courtesy of Facebo
Page 30 and 31: Facebook - Ray of
Page 32 and 33: Courtesy of many i
Page 34 and 35: Descendent Policy • Introduced in
Page 36 and 37: Location Clobbering IE 7: IE 7: var
Page 38 and 39: Asking Nicely
Page 40 and 41: • IE 8: Restricted zones Javascr
Page 42 and 43: Reflective XSS filters Can be used
Page 44 and 45: X-Frames-Options (IE8) • HTTP hea
Page 46 and 47: Content Security Policy (FF) • Al
Page 48 and 49: … a little bit more. These sites
Page 52: Questions? rydstedt@stanford.edu

busting-frame-busting-a-study-of-clickjacking-vulnerabilities-on-popular-sites-slides

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?