[cap-talk] If a user is clickjacked in a forest, does it leak authority?

Sam Mason sam at samason.me.uk
Fri Mar 27 11:33:42 EDT 2009


On Fri, Mar 27, 2009 at 03:14:37PM +0000, Karp, Alan H wrote:
> David-Sarah Hopwood wrote:
> > No, a clickjacking attack can trick the user into pressing an arbitrary
> > button on page B, for example, without the button being visible.
> 
> That's the essence of the attack.  In order to pull it off, the
> attacker must be able to open page B, make it transparent, and align
> it over page A.  The user sees the button on page A but is really
> clicking on page B.  Making the URL for page B unguessable prevents
> the attack.

In the example given by Chip; what would prevent an attacker from
performing an XMLHttpRequest and getting a copy of A for themselves,
parsing out the link to page B and going from there?

-- 
  Sam  http://samason.me.uk/


More information about the cap-talk mailing list