CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard
verified publisher icon OWASP

Update: Clickjacking_Defense_Cheat_Sheet.md to address Double Clickjacking

Open kwwall opened this issue 11 months ago • 5 comments

What is missing or needs to be updated?

The Clickjacking_Defense_Cheat_Sheet.md cheat sheet does not account for defenses from the new related attack dubbed "Double Clickjacking".

How should this be resolved?

At a minimum, we need to update this to mention that some of the defenses mentioned in the current CS are not effective. (Paulos Yibelo's blog post did not explictly mention whether frame-busting script was still effective, but it did note that relying only header defenses such as CSP frame-ancestors directory or X-Frame-Options or the "SameSite" cookie attribute were not effective.)

Other

Note: Do not ask me to submit a PR to address this issue as my depth of JavaScript is not sufficient for that. I only know enough to be effective at secure code reviews in regards to that.

kwwall avatar Jan 05 '25 16:01 kwwall

Thanks @kwwall! This is a good issue

mackowski avatar Jan 07 '25 13:01 mackowski

anyone still workig on it?

yashgoyal0110 avatar Jan 11 '25 08:01 yashgoyal0110

@yashgoyal0110 no-one is working on this currently. Do you want to help?

mackowski avatar Jan 14 '25 18:01 mackowski

This is a critical security issue that needs to be addressed. I understand how Double Clickjacking works and why CSP, X-Frame-Options, and SameSite cookies are insufficient to fight with it . Fixing this requires strengthening client-side defenses with JavaScript and enhancing server-side security with improved headers and frame-busting mechanisms. Let me know if I can proceed with the fix. @mackowski @kwwall @szh

caffeine-rohit avatar Feb 01 '25 06:02 caffeine-rohit

@caffeine-rohit - Go for it. Please see the more detailed response I left you on OWASP Slack.

kwwall avatar Feb 01 '25 18:02 kwwall