I (wrongly) assumed that Javascript frame breakers were ineffective when using iframes on IE when using the security=restricted attribute. As it turns out cookies are not allowed by default when using the attribute because the security settings are applied from IE restricted zone. My recommendation is to use frame breakers on administration pages and other sensitive actions to prevent iframe inclusion of a page without the users knowledge.
Big thanks to Ambush commander on the sla.ckers forums for the info, check out his CSRF magic script which provides automagic protection for your PHP scripts. Mario also provides an alternative which is specific to PHP5 also automagic 
So in summary frame breakers won’t protect against all CSRF attacks using iframes but do provide good protection against CSS overlays when using cookies.
Comments 5
well frames are still alive? Thought i have to go to the waybackmachine if i would like to see.
Posted 11 Aug 2008 at 10:33 am ¶frames and iframes can be used to fooling you into clicking something that isn’t what you think it is. Using a frame breaker can prevent this sort of attack
Posted 11 Aug 2008 at 11:31 am ¶Note that you can get around the cookie-in-frames restriction by supplying a p3p header.
Posted 11 Aug 2008 at 12:38 pm ¶@Evert
Interesting, could you provide a example of this? Are you saying it’s possible to supply a browser security policy through http headers?
Posted 11 Aug 2008 at 12:50 pm ¶One problem though, the anti-csrf seems vulnerable to overwriting GLOBALS. I skimmed through the code, but I cannot find any GLOBALS protection that prevent GLOBALS from being overwritten though REQUEST, GET, COOKIE, and SESSION.
Example:
somescript.php?GLOBALS[foo]=bar
Posted 12 Aug 2008 at 5:33 am ¶Post a Comment