[cap-talk] If a user is clickjacked in a forest, does it leak authority?
sam at samason.me.uk
Fri Mar 27 11:33:42 EDT 2009
On Fri, Mar 27, 2009 at 03:14:37PM +0000, Karp, Alan H wrote:
> David-Sarah Hopwood wrote:
> > No, a clickjacking attack can trick the user into pressing an arbitrary
> > button on page B, for example, without the button being visible.
> That's the essence of the attack. In order to pull it off, the
> attacker must be able to open page B, make it transparent, and align
> it over page A. The user sees the button on page A but is really
> clicking on page B. Making the URL for page B unguessable prevents
> the attack.
In the example given by Chip; what would prevent an attacker from
performing an XMLHttpRequest and getting a copy of A for themselves,
parsing out the link to page B and going from there?
More information about the cap-talk