Comments on: Chrome and Firefox Face Clickjacking Exploit http://www.darknet.org.uk/2009/02/chrome-and-firefox-face-clickjacking-exploit/ Ethical Hacking, Penetration Testing & Computer Security Sat, 21 Nov 2009 06:04:59 +0000 http://wordpress.org/?v=2.8.6 hourly 1 By: Morgan Storey http://www.darknet.org.uk/2009/02/chrome-and-firefox-face-clickjacking-exploit/#comment-125514 Morgan Storey Thu, 05 Feb 2009 09:58:51 +0000 http://www.darknet.org.uk/?p=1459#comment-125514 @Rafal Los: how is that a stupid solution. If security where easy we would have no compromises, no data loss, it will never be easy, things will get fixed and more issues will replace them. There is another solution, block it through the firewall, proxy and IDS, but this is only so good, and only one layer. FF + NoScript + not running programs as an admin is a good start on the client. @Rafal Los: how is that a stupid solution. If security where easy we would have no compromises, no data loss, it will never be easy, things will get fixed and more issues will replace them. There is another solution, block it through the firewall, proxy and IDS, but this is only so good, and only one layer. FF + NoScript + not running programs as an admin is a good start on the client.

]]> By: Rafal Los http://www.darknet.org.uk/2009/02/chrome-and-firefox-face-clickjacking-exploit/#comment-125511 Rafal Los Wed, 04 Feb 2009 06:34:13 +0000 http://www.darknet.org.uk/?p=1459#comment-125511 The solution is rather stupid. FireFox + NoScript. I can has basic security? The solution is rather stupid. FireFox + NoScript. I can has basic security?

]]> By: Morgan Storey http://www.darknet.org.uk/2009/02/chrome-and-firefox-face-clickjacking-exploit/#comment-125509 Morgan Storey Wed, 04 Feb 2009 01:55:38 +0000 http://www.darknet.org.uk/?p=1459#comment-125509 @dblackshell: I didn't know what NoScripts clickjacking defence was called, hence my vagueness, but I know it is there. The dev build even implements IE8's non-standard HTTP header, I think just for giggles. IE8 is out, as beta and they are heavily touting its security improvements, including the http header clickjacking defence. They actaully had the gall to say they where the first browser with clickjacking defence. I know IE8's defence requires the website to have the additional header, hence why I mentioned it being a poor implementation. This same technique can be done with a framebusting header, the issue here is that IE doesn't support this standard, hence why they decided to implement their own, cause they probably couldn't get it to work. @dblackshell: I didn’t know what NoScripts clickjacking defence was called, hence my vagueness, but I know it is there. The dev build even implements IE8’s non-standard HTTP header, I think just for giggles.

IE8 is out, as beta and they are heavily touting its security improvements, including the http header clickjacking defence. They actaully had the gall to say they where the first browser with clickjacking defence. I know IE8’s defence requires the website to have the additional header, hence why I mentioned it being a poor implementation. This same technique can be done with a framebusting header, the issue here is that IE doesn’t support this standard, hence why they decided to implement their own, cause they probably couldn’t get it to work.

]]> By: navin http://www.darknet.org.uk/2009/02/chrome-and-firefox-face-clickjacking-exploit/#comment-125507 navin Tue, 03 Feb 2009 16:09:17 +0000 http://www.darknet.org.uk/?p=1459#comment-125507 @ lightOS Thanks for the links!! @Dblackshell Thanks for Clearclick ....might sound very n00bish, but I din't know abt it!! @All other n00bs like me: Read abt Clearclick @ http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/ @ Darknet cheers!! :) @ lightOS
Thanks for the links!!

@Dblackshell
Thanks for Clearclick ….might sound very n00bish, but I din’t know abt it!!

@All other n00bs like me:
Read abt Clearclick @ http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/

@ Darknet
cheers!! :)

]]> By: dblackshell http://www.darknet.org.uk/2009/02/chrome-and-firefox-face-clickjacking-exploit/#comment-125502 dblackshell Tue, 03 Feb 2009 03:05:20 +0000 http://www.darknet.org.uk/?p=1459#comment-125502 @Morgan Storey: the clickjacking defense in NoScripts is called ClearClick ;) and IE8 (which even isn't out yet) isn't patched against ClickJacking, it only implements an additional HTTP reader, X-FRAME... (forgot the whole name of the header) =) @Morgan Storey: the clickjacking defense in NoScripts is called ClearClick ;)

and IE8 (which even isn’t out yet) isn’t patched against ClickJacking, it only implements an additional HTTP reader, X-FRAME… (forgot the whole name of the header) =)

]]> By: Morgan Storey http://www.darknet.org.uk/2009/02/chrome-and-firefox-face-clickjacking-exploit/#comment-125501 Morgan Storey Mon, 02 Feb 2009 23:11:06 +0000 http://www.darknet.org.uk/?p=1459#comment-125501 Oh noes clickjacking in firefox and Chrome... I really think these vulns were hyped by Microsofts IE8 department now that they have their rather badly implemented anti-clickjacking technology... FF with no scripts built in clikcjacking defence stops this no questions asked. IE7 and even IE8 are still vulnerable to a lot of clickjacking that is done. Chrome updates without user interaction so it is probably already updated by the time I hit submit. Oh noes clickjacking in firefox and Chrome… I really think these vulns were hyped by Microsofts IE8 department now that they have their rather badly implemented anti-clickjacking technology…

FF with no scripts built in clikcjacking defence stops this no questions asked. IE7 and even IE8 are still vulnerable to a lot of clickjacking that is done. Chrome updates without user interaction so it is probably already updated by the time I hit submit.

]]> By: LightOS http://www.darknet.org.uk/2009/02/chrome-and-firefox-face-clickjacking-exploit/#comment-125498 LightOS Mon, 02 Feb 2009 19:17:52 +0000 http://www.darknet.org.uk/?p=1459#comment-125498 I.E. 7 is also affected, here's a PoC for each browser. http://milw0rm.com/exploits/7912 - IE 7 http://milw0rm.com/exploits/7903 - Chrome 1.0 http://milw0rm.com/exploits/7842 - FF 3.0.5 These attacks don't always require JavaScript, they can also be accomplished with CSS. I.E. 7 is also affected, here’s a PoC for each browser.

http://milw0rm.com/exploits/7912 – IE 7
http://milw0rm.com/exploits/7903 – Chrome 1.0
http://milw0rm.com/exploits/7842 – FF 3.0.5

These attacks don’t always require JavaScript, they can also be accomplished with CSS.

]]>