CSS overlays and frame breakers

I (wrongly) assumed that Javascript frame breakers were ineffective when using iframes on IE when using the security=restricted attribute. As it turns out cookies are not allowed by default when using the attribute because the security settings are applied from IE restricted zone. My recommendation is to use frame breakers on administration pages and other sensitive actions to prevent iframe inclusion of a page without the users knowledge.

Big thanks to Ambush commander on the sla.ckers forums for the info, check out his CSRF magic script which provides automagic protection for your PHP scripts. Mario also provides an alternative which is specific to PHP5 also automagic 🙂

So in summary frame breakers won’t protect against all CSRF attacks using iframes but do provide good protection against CSS overlays when using cookies.

5 Responses to “CSS overlays and frame breakers”

  1. Johny writes:

    well frames are still alive? Thought i have to go to the waybackmachine if i would like to see.

  2. Gareth Heyes writes:

    frames and iframes can be used to fooling you into clicking something that isn’t what you think it is. Using a frame breaker can prevent this sort of attack

  3. Evert writes:

    Note that you can get around the cookie-in-frames restriction by supplying a p3p header.

  4. Gareth Heyes writes:

    @Evert

    Interesting, could you provide a example of this? Are you saying it’s possible to supply a browser security policy through http headers?

  5. rvdh writes:

    One problem though, the anti-csrf seems vulnerable to overwriting GLOBALS. I skimmed through the code, but I cannot find any GLOBALS protection that prevent GLOBALS from being overwritten though REQUEST, GET, COOKIE, and SESSION.

    Example:

    somescript.php?GLOBALS[foo]=bar