[WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
Bil Corry
bil at corry.biz
Sun Oct 12 00:55:01 EDT 2008
Bil Corry wrote on 10/11/2008 1:32 AM:
> =============== Knowing The URL ===============
>
> The only way to prevent an attacker from knowing the URL would be to
> randomize it -- basically instead of placing the token/nonce as a
> hidden field (ala anti-CSRF), use it as part of the URL instead.
I created an example site that implements this idea, you can see it here:
http://clicksmack.sinlab.com/
Once you log in, you'll see a button to use for a clickjacking attack. The question I have, is it possible to perform a clickjacking attack against the site? Or does the random URL spoil the attack?
- Bil
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list