[cap-talk] If a user is clickjacked in a forest, does it leak authority?

Chip Morningstar chip at fudco.com
Fri Mar 27 19:43:47 EDT 2009


Sam Mason <sam at samason.me.uk> wrote:

> In the example given by Chip; what would prevent an attacker from
> performing an XMLHttpRequest and getting a copy of A for themselves,
> parsing out the link to page B and going from there?

A clickjack attacker's goal is to trick the victim into using authority that
the victim possesses but the attacker does not.  In this case, the attacker
can't see the link to Page B because the attacker doesn't have the victim's
cookie.  If the attacker fetched Page A using XHR, they wouldn't get the
victim's version of the link, they'd get their own version of the link.

A suitably constructed clickjack wrapper around Page A might set things up so
that the attacker can trick the victim into clicking on the link to Page B, but
the attacker doesn't achieve anything useful by this -- they are not left in a
position to take advantage of the additional authority that is gained by
opening Page B because the newly revealed authority does not appear within the
context that the attacker controls.


More information about the cap-talk mailing list