Clickjacking and CSRF attacking OpenID
Convener: Andy Dale (=Andy)
- Steve Williams,
- Jeff Hodges,
- Larry Cymkin,
- Joe Steele
- Jon Nichols
- Paul Bryan
- Scott Bloomquis
Technology Discussed/Considered: Open ID, InfoCard (briefly) Discussion notes:
Overview of CSRF & clickjacking - Clickjacking can get around CSRF nonce protections
With OpenID - this becomes much worse
- redirect to target site via CSRF
- use click-jacking to have user OK on their OP site?
- Use frame-busting code
- Don't let GET change stuff
- POST is still vulnerable -- but can't do that from image tag
- Use nonces for forms (for CSRF -- Steve Williams @ Digg mentioned)
- can do this for OP login request also (allowed by OpenID)
- reverify at the RP before accepting auth
- Partition session cookies by process
- Show a dialog?
- Show an entry page always?
- Use HTTPS -- then Referrer header can be trusted
- Can education fix this?
Q: Does clicking on an IFrame transmit click to frames beneath?
- transparent, low opacity iframes make this question moot
- Transparent SSO is the issue -- global OP cookie is an example of this
- The real fix is intelligent clients --- maybe a better browser?
- If everything at RP is fixed -- you are ok
- no XSS vulns
- nonces for requests
- frame-busting code
- limited cross-domain policy
- supposed to mitigate vulnerabilities
- could expose more vulnerabilities
Q: Why does browser not prevent clicking when opacity drops below some level?
- what is that level?
- what about "look alike" sites which are not opaque?
Q: What about InfoCard?
- Charles Andres showed a UI-less clickin for InfoCard
- Exposes same vulnerability?