[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (OSLCCORE-40) Potential click jacking issue for delegated dialogs
[ https://issues.oasis-open.org/browse/OSLCCORE-40?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61045#comment-61045 ]
Martin Pain commented on OSLCCORE-40:
-------------------------------------
To clarify, for this to be exploited it presumably requires one of two things:
- The victim user must load a page on the malicious server, or
- A trusted server must be convinced to load a page from the malicious server in an iframe (which then itself loads another iframe on the targetted server, and overlays this iframe).
The first one would require social engineering to get the user to trust that page. The second would require either social engineering to get the user to configure their trusted server to trust the malicious server, or a separate vulnerability (I'm not aware of any reported) to force that trusted server to trust the malicious server.
Obviously social engineering is possible (and involved in most attacks). Whitelisting dialog clients changes the social engineering required, as it would require changes to the dialog server, not the dialog client or user at the time of the clickjacking. Which is probably a better situation, but does devalue OSLC dialogs somewhat as it would introduce extra steps to get an environment where they would work.
(Just my train of thought. I'm by no means a security expert.)
> Potential click jacking issue for delegated dialogs
> ----------------------------------------------------
>
> Key: OSLCCORE-40
> URL: https://issues.oasis-open.org/browse/OSLCCORE-40
> Project: OASIS OSLC Lifecycle Integration Core (OSLC Core) TC
> Issue Type: Bug
> Reporter: James Amsden
> Assignee: James Amsden
> Priority: Minor
>
> What
> We have found that MOST of Rational CLM is vulnerable to click jacking attacks, specifically the debug pages are vulnerable so we will use these as an example POC. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.
> Attack Use Case:
> - An attacker can create an attack page called jts_delete.html
> - Deploy the page to a server
> - Send a link to the Admin
> - When the Admin clicks the link they will be presented with a benign page. Maybe Something Like
> "Authenticated with BSO"
> Click Continue
>
> From the screen shot the Attacker has over layed this message on top of the debug console. As a result, the Attacker could align the click with any of the options shown in the screen shot.
> StopAll, RemoveAll, etc... .on other pages there are other 1 click options.
> the point, the screen shot demonstrates that the DEBUG pages (and most pages in CLM) are click jacking vulnerable.
> Remediation
>
> The Team(s) should review the application functions that are accessible from within the response, and determine whether they can be used by application users to perform any sensitive actions within the application. If so, then a framing attack targeting this response may result in unauthorized actions.
> To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself.
> The Core TC may want to provide guidance on how to protect from this sort of attack, and implement the prevention mechanism mentioned above.
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]