Concerned about clickjacking or tired of sites wrapping your content with their ads? The solution is x-frame-options and it will be supported in Firefox as of 3.6.9 (grab a build now if you'd like to try it out)
What is x-frame-options?
x-frame-options is a header value that is set by the webserver which instructs supported browsers on whether to allow a particular page to be framed by other pages. The intention is to prevent the following:
HTML from attackersite.com
<html>
ads, phishing, clickjacking, etc
<iframe src="http://yoursite.com"></iframe>
</html>
Valid values for x-frame-options
When setting the x-frame-options on the webserver you will need to select between two options -
"SAMEORIGIN" or "DENY"
SAMEORIGIN - allows only sites from the same domain to frame the page
DENY - prevents any site from framing the page
Where is x-frame-options needed?
You could choose to simply add the x-frame-options header to every response sent from your webserver. That would work but there is at least one interesting byproduct of that approach - this would break the ability for your site to be listed in google images search since even the images would have the x-frame-options header. That might not be a big deal, but it is interesting to consider what items, if any, you do want to be framed by third parties.
However, the bare-minimum to prevent against clickjacking attacks is to set the x-frame-options header for any page that allows a user to make a state changing operation. Think login forms, confirmation pages, update pages, etc. Here is a basic rule to remember where x-frame-options must be used.
If you are adding a CSRF token to a page then you also need x-frame-options header.
Don't be confused and think that x-frame-options is dependant upon a CSRF token - thats not the case. But both controls are used to prevent the unintended completion of a state-changing operation without the user's consent. Therefore, it is generally true that a page which needs one of these controls would also need the other.
DENY or SAMEORIGIN?
Use DENY unless you are aware of specific (and authorized) framing of your pages from other pages on your domain. DENY is the more restrictive behavior and is the best way to protect your site.
Why not use frame busting JavaScript?
Frame busting JavaScript is a cat and mouse game that is fragile and often dependent upon particularities of each browser. There is frame busting code and frame-busting-busting code. The frame-busting JavaScript approach is flimsy and requires a lot of work for mediocre results.
Supported Browsers
Firefox 3.6.9 & 4 (and older Firefox versions with NoScript add-on)
IE 8+
Opera 10.50
Safari 4
Additional Reading
https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
http://www.owasp.org/index.php/Clickjacking#Defending_with_response_headers
-Michael Coates
Monday, August 30, 2010
Thursday, August 19, 2010
Facebook Places - You Don't Control Your Own Location
I think the argument about privacy and facebook has been beat to death. There really isn't anything left to say. By using facebook you are either consciously, or unconsciously, surrendering all of your data to someone or some advertising corporation. However, this new "feature" adds a whole new level to the discussion.
What impact will location tracking have on people's safety? How many users will quickly enable this new feature and continually broadcast their current location to the world? Will users fake the location of others in order to lure someone to a particular place?
Facebook has thought of one scenario and added this information to their FAQ.
The last thing to consider is facebook's track record on protecting data. How long will it be until advertisers find a way to pilfer this data from people? Or what about the next privacy setting overhaul which changes the defaults or makes it more difficult to control who sees your location data?
Geo tagging is nothing new. What is new is the integration of this technology with facebook - a company with a huge user base and a history of disregarding the security and privacy of users.
-Michael Coates
Monday, August 16, 2010
Mozilla at OWASP AppSecUSA
Several Mozilla employees will be attending this year's OWASP AppSecUSA event held in Irvine, CA (Sept 7-10). OWASP conferences focuse entirely on application security and are considered the premier event for this area of security.
I encourage you to check out the event and considering attending yourself. This conference is great for developers, security engineers, and anyone interested in the rapidly growing field of application security.
I will be presenting on Friday on the integration of ESAPI and AppSensor. I will also be discussing how AppSensor ideas are being integrated into Mozilla applications for real time attacker detection. In addition, Mozilla will be tending a booth with demos and information on Content Security Policy, a great security addition to Firefox that will be coming soon. Stop by, say hello, and find out how you can leverage CSP in your websites.
Conference registration link
-Michael Coates
I encourage you to check out the event and considering attending yourself. This conference is great for developers, security engineers, and anyone interested in the rapidly growing field of application security.
I will be presenting on Friday on the integration of ESAPI and AppSensor. I will also be discussing how AppSensor ideas are being integrated into Mozilla applications for real time attacker detection. In addition, Mozilla will be tending a booth with demos and information on Content Security Policy, a great security addition to Firefox that will be coming soon. Stop by, say hello, and find out how you can leverage CSP in your websites.
Conference registration link
-Michael Coates
Subscribe to:
Posts (Atom)