OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

oslc-core message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (OSLCCORE-40) Potential click jacking issue for delegated dialogs

    [ https://issues.oasis-open.org/browse/OSLCCORE-40?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61830#comment-61830 ] 

James Amsden commented on OSLCCORE-40:

On today's TC meeting, and a subsequent email from Martin, we can summarize the following regarding click jacking in the delegated dialog spec:

1. There are many possible security issues with any application built on the WWW technologies (HTTP, REST, LDP, etc.)

2. OSLC specifications should only address unique security issues exposed by OSLC introduced capabilities, such as Delegated Dialogs.

3. Delegated dialogs do pose a specific problem beyond other pages that contain action buttons, in that delegated dialogs are specifically intended to be embedded in other web pages. The key consequence of this is that the protections that are usually available for preventing click jacking are not appropriate for delegated dialogs. 

Specifically the protections to prevent the page (dialog) from being embedded in all other pages would prevent delegated dialogs from being used in a significant proportion of their uses cases.

4. Therefore, it is appropriate to include the click jacking section in the delegated dialog specification as guidance to implementers, even though it does not include any normative content.

TC members, especially Martin and Ian, should review that section to see if there are any further changes needed.

> Potential  click jacking issue for delegated dialogs
> ----------------------------------------------------
>                 Key: OSLCCORE-40
>                 URL: https://issues.oasis-open.org/browse/OSLCCORE-40
>             Project: OASIS OSLC Lifecycle Integration Core (OSLC Core) TC
>          Issue Type: Bug
>            Reporter: James Amsden
>            Assignee: James Amsden
>            Priority: Minor
> What
> There is a possibility that client applications that use OSLC delegated dialogs may be vulnerable to click jacking attacks. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.  
> Attack Use Case:
> - An attacker can create an attack page called jts_delete.html
> - Deploy the page to a server
> - Send a link to the Admin
> - When the Admin clicks the link they will be presented with a benign page. Maybe Something Like
>           "Authenticated with BSO"
>                  Click Continue
> From the screen shot the Attacker has over layed this message on top of the debug console. As a result, the Attacker could align the click with any of the options shown in the screen shot.
> StopAll, RemoveAll, etc... .on other pages there are other 1 click options.
> the point, the screen shot demonstrates that the DEBUG pages (and most pages in CLM) are click jacking vulnerable.
> Remediation
> The TC should review delegated dialogs that are accessible from within the response, and determine whether they can be used by application users to perform any sensitive actions within the application. If so, then a framing attack targeting this response may result in unauthorized actions.
> To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself.  
> The Core TC may want to provide guidance on how to protect from this sort of attack, and implement the prevention mechanism mentioned above. 

This message was sent by Atlassian JIRA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]