shibboleth-dev - Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP
Subject: Shibboleth Developers
List archive
- From: Leif Johansson <>
- To:
- Subject: Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP
- Date: Thu, 29 Jul 2010 10:53:42 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/29/2010 10:49 AM, Etienne Dysli wrote:
> Jim Fox wrote:
>> Our login screen has one button that says 'Log in'. Possibly someone
>> could be tricked into clicking that -- with an empty password.
>> Seems like a lot of work on the attackers part for very little gain.
>> I imagine the shib login screen is similar.
>
> One could also fill the username/password fields and make browsers
> bruteforce the IdP login page. I recommend reading Paul Stone's "Next
> Generation Clickjacking" presentation at BlackHat Europe 2010
> (https://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html#Stone)
> for some nice attack ideas. ;)
Right - the attack could be to overlay your login button with an element
that triggers a POST to http://all.your.passwords.are.belong.to.us
Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxRQZYACgkQ8Jx8FtbMZneD9ACeIOprydkB1cuDA6PzMUsr56sN
Nq0An23SjgvhlZD7BkLyuJ5EUOQE7tqU
=WVrK
-----END PGP SIGNATURE-----
- [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Patrik Schnellmann, 07/27/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Jim Fox, 07/27/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Etienne Dysli, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Leif Johansson, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Jim Fox, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Leif Johansson, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Patrik Schnellmann, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Etienne Dysli, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Jim Fox, 07/27/2010
Archive powered by MHonArc 2.6.16.