CSS overlays and frame breakers
Sunday, 10 August 2008
I (wrongly) assumed that Javascript frame breakers were ineffective when using iframes on IE when using the security=restricted attribute. As it turns out cookies are not allowed by default when using the attribute because the security settings are applied from IE restricted zone. My recommendation is to use frame breakers on administration pages and other sensitive actions to prevent iframe inclusion of a page without the users knowledge.
Big thanks to Ambush commander on the sla.ckers forums for the info, check out his CSRF magic script which provides automagic protection for your PHP scripts. Mario also provides an alternative which is specific to PHP5 also automagic 🙂
So in summary frame breakers won’t protect against all CSRF attacks using iframes but do provide good protection against CSS overlays when using cookies.
No. 1 — August 11th, 2008 at 10:33 am
well frames are still alive? Thought i have to go to the waybackmachine if i would like to see.
No. 2 — August 11th, 2008 at 11:31 am
frames and iframes can be used to fooling you into clicking something that isn’t what you think it is. Using a frame breaker can prevent this sort of attack
No. 3 — August 11th, 2008 at 12:38 pm
Note that you can get around the cookie-in-frames restriction by supplying a p3p header.
No. 4 — August 11th, 2008 at 12:50 pm
@Evert
Interesting, could you provide a example of this? Are you saying it’s possible to supply a browser security policy through http headers?
No. 5 — August 12th, 2008 at 5:33 am
One problem though, the anti-csrf seems vulnerable to overwriting GLOBALS. I skimmed through the code, but I cannot find any GLOBALS protection that prevent GLOBALS from being overwritten though REQUEST, GET, COOKIE, and SESSION.
Example:
somescript.php?GLOBALS[foo]=bar