Firefox + NoScript vs Clickjacking
In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:
Hi Ryan,
I’ve seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
I had access to detailed information about how this attack works and I can tell you the following:
- It’s really scary
- NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
- For 100% protection by NoScript, you need to check the “Plugins|Forbid
Cheers,
Giorgio
I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed “very, freaking scary” and “near impossible” to fix properly.
Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.
[Source: zdnet]
Post a Comment