Love it, you have to love it. OWASP is one of my favourite “.org” and if you want to know about security, it will become also yours.
Now, this is a late night post and it’s more a reminder for me than something for you: tomorrow I will post some security issues I am working on and, clearly, some freshly baked .NET code to protect your website (and to check if it’s vulnerable or not).
In the meantime i leave you something coming huge these days: ClickJacking (did you hear about “twitter worm” or “facebook like stealer”?). The wikipedia definition is awful, but dear OWI has a good one (https://www.owasp.org/index.php/Clickjacking). Just to make it simple: ClickJacking uses iframe properties to put a mask on top of a specific page and hide the content except some part of the page (usually buttons): the result is that you press what you don’t know you’re pressing [simple enough?]
A beautiful example is here: http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
As said before, there is no complete protection against the “sleeping giant”, but this way works just fine for 99% of the known cases:
- put a good JS snippet: https://www.owasp.org/index.php/Clickjacking#Best-for-now_implementation
- add X-FRAME-OPTIONS security header.
I have a Vb example for this (you can use a simple UserControl and add it to every page you need)…
' Adding X-FRAME-HEADER if configured If [enable x-frame] Then Response.AddHeader("X-FRAME-OPTIONS", [DENY or SAMEORIGIN]) End If ' Adding anti-framing if configured If [this page is not frameable] Then ' Create JS snippet Dim sb As New StringBuilder("<script language='javascript' type='text/javascript'>") sb.Append("if (self == top) {") sb.Append(" var theBody = document.getElementsByTagName('body')[0];") sb.Append(" theBody.style.display = 'block';") sb.Append(" } else { ") sb.Append(" top.location = self.location; ") sb.Append("}") sb.Append("</script>") ' Adding it, if the script is not already registered If Not Page.ClientScript.IsClientScriptBlockRegistered(Page.GetType(), "FixClickJack") Then Page.ClientScript.RegisterClientScriptBlock(Page.GetType(), "FixClickJack", sb.ToString()) End If End If
(*) every time you see code, you have to substitute what’s contained in bracket with your values… and remember: when you work on existing code, always enable new behavior using a configuration, so you can control regressions!
Easy as that, and for a couple of years you should be ok.
See you tomorrow!