Who do you trust? Cross-domain content extraction with Clickjacking
Overview Today I’ll illustrate how it’s possible to extract sensitive data via Clickjacking by taking advantage of some liberal framing behaviors in Firefox coupled with a X-Frame-Options:Allow header that forms an implicit trust relationship between two sites. This Clickjacking POC takes advantage of several site and browser behaviors including: Etsy.com set an X-Frames-Options: Allow header when accessed directly from a search engine query result Microsoft Bing search engine allows framing…
Read more...Tags:Bing , Clickjacking , content extraction , cross domain , Etsy , Firefox , trust , X-Frame-Options
Solving the AusSHIRT 2013 Sophos Puzzle
are closed
Intro This was a fun little puzzle that served as a quick brain-teaser/diversion a short while back. I didn’t see this puzzle when it was first announced but eventually noticed it on Twitter so I got a bit of a late start. Several people had already solved it when I began, one of them using Notepad. I didn’t feel like writing yet another script so I figured why not try…
Read more...
are closed