Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP


Chronological Thread 
  • From: Leif Johansson <>
  • To:
  • Subject: Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP
  • Date: Thu, 29 Jul 2010 10:53:42 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/29/2010 10:49 AM, Etienne Dysli wrote:
> Jim Fox wrote:
>> Our login screen has one button that says 'Log in'. Possibly someone
>> could be tricked into clicking that -- with an empty password.
>> Seems like a lot of work on the attackers part for very little gain.
>> I imagine the shib login screen is similar.
>
> One could also fill the username/password fields and make browsers
> bruteforce the IdP login page. I recommend reading Paul Stone's "Next
> Generation Clickjacking" presentation at BlackHat Europe 2010
> (https://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html#Stone)
> for some nice attack ideas. ;)

Right - the attack could be to overlay your login button with an element
that triggers a POST to http://all.your.passwords.are.belong.to.us

Cheers Leif


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxRQZYACgkQ8Jx8FtbMZneD9ACeIOprydkB1cuDA6PzMUsr56sN
Nq0An23SjgvhlZD7BkLyuJ5EUOQE7tqU
=WVrK
-----END PGP SIGNATURE-----



Archive powered by MHonArc 2.6.16.

Top of Page