OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

oslc-core message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] (OSLCCORE-40) Potential click jacking issue for delegated dialogs


    [ https://issues.oasis-open.org/browse/OSLCCORE-40?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61836#comment-61836 ] 

Martin Pain commented on OSLCCORE-40:
-------------------------------------

I believe this sentence is the wrong way round: "Clickjacking is a vulnerability that can occur when a malicious (or compromised) web application embeds an OSLC delegated dialog (or UI preview) in their own web page, overlays the user's view by with other invisible layers or components, then tricks the user into clicking on a button in the unseen iframe by encouraging them to click on OSLC delegated dialog components that they can see."

To express it the other way round might be: "Clickjacking is a vulnerability that can occur when a malicious (or compromised) web application embeds an OSLC delegated dialog (or UI preview) in their own web page, then overlays on top of it other components, obscuring the delegated dialog from view. The malicious web application does this in such a way as that when the user attempts to click on the visible components, the browser interprets this as a click on the obscured delegated dialog, and the components within it. The malicious web page encourages the user to click one of the visible components, which the user might believe will not have side-effects (such as a link saying "If you are not redirected within 2 seconds, click here"), but places that component over a component in the delegates dialog that the malicious page wishes the user to click unknowingly. The user attempts to click on the visible component, but the browser interprets that as a click on the hidden component, which will perform some action that the user is authorised to do (but the malicious web page is not) but that the user did not intend to perform."

I've put an example of how components can be overlaid like this here: https://jsfiddle.net/mbread/2k3u2ab9/

On second thoughts, the invisible option is another approach (example here: https://jsfiddle.net/mbread/h5cuzqtk/)
However, the text as it is currently in the spec doesn't describe the OSLC server as the server under attack. It's true that OSLC dialogs could be used as "bait" to encourage clicks on other components, but I think our concern is when the delegated dialog is the page under attack.

I'll have another attempt at re-wording:
"Clickjacking is a vulnerability that can occur when a malicious (or compromised) web application embeds an OSLC delegated dialog (or UI preview) in their own web page in a way that it is not visible to the user (or not obviously visible - either almost invisible, or hidden behind other components), but positions it such that when the user attempts to click on the visible components, the browser interprets this as a click on the obscured delegated dialog, and the components within it. The malicious web page encourages the user to click one of the visible components, which the user might believe will not have side-effects (such as a link saying "If you are not redirected within 2 seconds, click here"), but places that component over a component in the delegated dialog that the malicious page wishes the user to click unknowingly. The user attempts to click on the visible component, but the browser interprets that as a click on the hidden component, which will perform some action that the user is authorised to do (but the malicious web page is not) but that the user did not intend to perform."

> Potential  click jacking issue for delegated dialogs
> ----------------------------------------------------
>
>                 Key: OSLCCORE-40
>                 URL: https://issues.oasis-open.org/browse/OSLCCORE-40
>             Project: OASIS OSLC Lifecycle Integration Core (OSLC Core) TC
>          Issue Type: Bug
>            Reporter: James Amsden
>            Assignee: James Amsden
>            Priority: Minor
>
> What
> There is a possibility that client applications that use OSLC delegated dialogs may be vulnerable to click jacking attacks. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.  
> Attack Use Case:
> - An attacker can create an attack page called jts_delete.html
> - Deploy the page to a server
> - Send a link to the Admin
> - When the Admin clicks the link they will be presented with a benign page. Maybe Something Like
>           "Authenticated with BSO"
>                  Click Continue
>                 
> From the screen shot the Attacker has over layed this message on top of the debug console. As a result, the Attacker could align the click with any of the options shown in the screen shot.
> StopAll, RemoveAll, etc... .on other pages there are other 1 click options.
> the point, the screen shot demonstrates that the DEBUG pages (and most pages in CLM) are click jacking vulnerable.
> Remediation
>              
> The TC should review delegated dialogs that are accessible from within the response, and determine whether they can be used by application users to perform any sensitive actions within the application. If so, then a framing attack targeting this response may result in unauthorized actions.
> To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself.  
> The Core TC may want to provide guidance on how to protect from this sort of attack, and implement the prevention mechanism mentioned above. 



--
This message was sent by Atlassian JIRA
(v6.2.2#6258)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]