[cap-talk] If a user is clickjacked in a forest, does it leak authority?

Chip Morningstar chip at fudco.com
Thu Mar 26 20:59:03 EDT 2009


David Wagner <daw at cs.berkeley.edu> wrote:

>Chip Morningstar  wrote:
>> Page A is generated by the webserver using ambient user credentials of
>> some kind, such as cookies, such that it ends up containing a clickable
>> link that opens page B in a new window.
>>
>> If I understand things properly, a clickjacking attack on Page A can trick
>> the user into opening a window onto Page B, but once that has happened,
>> the attacker is not left with any means to actually wield the authorities
>> on Page B nor any obvious (to me) means to trick the user into wielding
>> one of those authorities on its behalf.
>
>I gather the key part is that page B opens in a new window/tab
>(otherwise it seems like a two-stage clickjack would be possible).
>I'd also like to be able to assume that Page B contains no content
>controlled by any untrusted party (OK?).
>Under these assumptions, I can't see any attack.

Yes, those were basically the assumptions I was making, though perhaps not
consciously.  Good to bring them out into the open.


>Tyler or MarcS would probably be in a better position to answer
>than I, though, as I don't really know the powers of the browser
>DOM API very well.

That's a pretty important question, as a lot of web security techniques seem to
sink or swim based on seemingly random idiosyncrasies of browser
implementation.



More information about the cap-talk mailing list