[WEB SECURITY] Cross-Site History Manipulation (XSHM)

Shlomi Narkolayev shlominar at gmail.com
Tue Feb 2 02:39:32 EST 2010


I have mentioned<http://narkolayev-shlomi.blogspot.com/2010/01/defeating-frame-busting-scripts-one-of.html>that
Frame Busting code isn't bullet proof and also described

how it can be bypassed using "security=restricted" IE property, although
there

are some others techniques, like using event overwriting, etc.



Web application developers couldn't rely on X-Frame-Options headers and

NoScript, because not everyone uses IE8.0 and FF + NoScript.



Although, developers can check browser version using User-Agent header, and
if

the user came with IE8.0 (i.e.) use X-Frame-Options otherwise inject frame

busting scripts to the response page.

Kind Regards,
Narkolayev Shlomi.

This E-mail and any of its attachments may contain proprietary information,
which is privileged, confidential, or subject to copyright. This E-mail is
intended solely for the use of the individual or entity to which it is
addressed. If you are not the intended recipient of this E-mail, you are
hereby notified that any dissemination, distribution, copying, or action
taken in relation to the contents of and attachments to this E-mail is
strictly prohibited and may be unlawful. If you have received this E-mail in
error, please notify the sender immediately and permanently delete the
original and any copy of this E-mail and any printout.
Joan Crawford<http://www.brainyquote.com/quotes/authors/j/joan_crawford.html>
- "I, Joan Crawford, I believe in the dollar. Everything I earn, I
spend."





-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf at coredump.cx]
Sent: Monday, February 01, 2010 8:05 PM
To: Shlomi Narkolayev
Cc: Mostafa Siraj; Alexr at checkmarx.com; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Cross-Site History Manipulation (XSHM)



>  if (top !== self) top.location.replace(self.location.href);



Unsafe:



http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_%28UI_redressing%29



See the "var location..." snippet.



/mz



----------------------------------------------------------------------------

Join us on IRC: irc.freenode.net #webappsec



Have a question? Search The Web Security Mailing List Archives:

http://www.webappsec.org/lists/websecurity/archive/



Subscribe via RSS:

http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



Join WASC on LinkedIn

http://www.linkedin.com/e/gis/83336/4B20E4374DBA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100202/8b709a7d/attachment.html>


More information about the websecurity mailing list