Comments on: IE8’s “Clickjacking Protection” Exposed http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/ Giorgio Maone's answers to the Web, the Universe, and Everything Wed, 08 Feb 2012 12:13:48 +0000 http://wordpress.org/?v=2.2.3 By: Konnie30 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-16318 Konnie30 Fri, 27 Nov 2009 00:28:11 +0000 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-16318 It's not so easy to make a nice essays written, preferably if you are concerned. I recommend you to define <a href="http://www.qualityessay.com" rel="nofollow">buy essay</a> and to be void from disbelief that your work will be done by paper writing service It’s not so easy to make a nice essays written, preferably if you are concerned. I recommend you to define buy essay and to be void from disbelief that your work will be done by paper writing service

]]> By: Terrel Shumway http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-11206 Terrel Shumway Thu, 26 Feb 2009 22:45:37 +0000 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-11206 If NoScript, or its functionality is included in mainline Firefox, is that going to interfere with new development? NoScript has a pretty quick release cycle compared with the main browser. I'd hate to see that go away. If NoScript, or its functionality is included in mainline Firefox, is that going to interfere with new development? NoScript has a pretty quick release cycle compared with the main browser. I’d hate to see that go away.

]]> By: The WHATWG Blog » Blog Archive » This Week in HTML 5 - Episode 21 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10909 The WHATWG Blog » Blog Archive » This Week in HTML 5 - Episode 21 Tue, 10 Feb 2009 23:02:30 +0000 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10909 [...] which relies on web authors to include a Microsoft-proprietary HTTP header. RSnake responds, as does Giorgio Maone (who, by the way, has already integrated Microsoft's proprietary header into his NoScript extension [...] […] which relies on web authors to include a Microsoft-proprietary HTTP header. RSnake responds, as does Giorgio Maone (who, by the way, has already integrated Microsoft’s proprietary header into his NoScript extension […]

]]> By: IE8 clickjacking / ui redressing prevention via X-FRAME-OPTIONSIts | Security and the Net http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10719 IE8 clickjacking / ui redressing prevention via X-FRAME-OPTIONSIts | Security and the Net Sun, 01 Feb 2009 10:41:58 +0000 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10719 [...] that tells Internet Explorer the page is not supposed to be included in a frame. It’s called X-FRAME-OPTIONS; a value of DENY means the page should never be opened in a frame, and SAMEORIGIN only allows it to [...] […] that tells Internet Explorer the page is not supposed to be included in a frame. It’s called X-FRAME-OPTIONS; a value of DENY means the page should never be opened in a frame, and SAMEORIGIN only allows it to […]

]]> By: hackademix.net » All That ClickJazz... http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10707 hackademix.net » All That ClickJazz... Sat, 31 Jan 2009 21:06:43 +0000 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10707 [...] to IE8’s touted Clickjacking protection which will work on pages whose authors adopt the new proprietary X-FRAME-OPTIONS header (now [...] […] to IE8’s touted Clickjacking protection which will work on pages whose authors adopt the new proprietary X-FRAME-OPTIONS header (now […]

]]> By: hackademix.net » http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10674 hackademix.net » Fri, 30 Jan 2009 00:12:31 +0000 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10674 [...] IE8’s “Clickjacking Protection” Exposed [...] […] IE8’s “Clickjacking Protection” Exposed […]

]]> By: Giorgio http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10667 Giorgio Thu, 29 Jan 2009 15:25:50 +0000 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10667 @<b>Hans Nordhaugh</b>: Thanks, I already commented on the <a href="http://www.heise-online.co.uk/security/Popular-browsers-continue-to-be-vulnerable-to-clickjacking-attacks--/news/112518" rel="nofollow">UK edition of that article</a>. Precisely at this moment I was "laughing" with OWASP's Arshan Dabirsiaghi of how many clowns talking "Clickjacking" and nobody (including Heise) grasping even the basic concept... @Hans Nordhaugh:
Thanks, I already commented on the UK edition of that article.

Precisely at this moment I was “laughing” with OWASP’s Arshan Dabirsiaghi of how many clowns talking “Clickjacking” and nobody (including Heise) grasping even the basic concept…

]]> By: Hans Nordhaug http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10666 Hans Nordhaug Thu, 29 Jan 2009 15:16:18 +0000 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10666 @Giorgio Heise Security bought the secniche.org story and claims that "NoScript obviously does not appear to recognize all variants of Clickjacking." Just FYI. @Giorgio

Heise Security bought the secniche.org story and claims that "NoScript obviously does not appear to recognize all variants of Clickjacking." Just FYI.

]]> By: decent user http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10665 decent user Thu, 29 Jan 2009 11:01:26 +0000 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10665 Thanks for the ultra fast clarification! > either he cannot understand Clickjacking, or he’s purposely using the buzzword to get some cheap publicity. Both I think, referring to your explanation. Best wishes! And thanks for the great work with NoScript! Thanks for the ultra fast clarification!

> either he cannot understand Clickjacking, or he’s purposely using the buzzword to get some cheap publicity.

Both I think, referring to your explanation.

Best wishes! And thanks for the great work with NoScript!

]]> By: Giorgio http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10664 Giorgio Thu, 29 Jan 2009 10:34:57 +0000 http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/#comment-10664 @<b>decent user</b>: That guy is an idiot: either he cannot understand Clickjacking, or he's purposely using the buzzword to get some cheap publicity. His "PoC" is just an laughably over-elaborated version of a simple: <code> <a href="http://yahoo.com" onclick="location='http://xssed.com';return false">Yahoo</a> </code> Try it: <a href="http://yahoo.com" onclick="location='http://xssed.com';return false" rel="nofollow">Yahoo</a> That's not Clickjacking by any stretch of imagination, and hardly malicious: you just get on a "surprise" destination, but nothing more since it can't do any of the cross-site evils (e.g. bypassing CSRF protection) of the real thing. @decent user:

That guy is an idiot: either he cannot understand Clickjacking, or he’s purposely using the buzzword to get some cheap publicity.
His “PoC” is just an laughably over-elaborated version of a simple:

<a href=”http://yahoo.com” onclick="location=’http://xssed.com’;return false">Yahoo</a>

Try it: Yahoo

That’s not Clickjacking by any stretch of imagination, and hardly malicious: you just get on a “surprise” destination, but nothing more since it can’t do any of the cross-site evils (e.g. bypassing CSRF protection) of the real thing.

]]>