Comment 0 for bug 1298784

Julian Edwards (julian-edwards) wrote :

= Impact =
A remote attacker could trick users into performing unintended actions within the application.

= Details =
The MAAS application has no protection against user-interface redressing attacks like clickjacking. By
displaying the application in carefully constructed iframes on an unrelated domain, an attacker may
be able to deceive users into performing one or two-click actions in the context of the application,
such as deploying a charm. The impact of a successful clickjacking attack is similar to that of cross-site
request forgery.
See http://www.sectheory.com/clickjacking.htm for a worked demonstration of a clickjacking attack.

= Exploitability =
An attacker can only create exploits for forms that he would be able to view, as he would need to
know the URL and positioning of the target forms. The attacker would also have to persuade a logged-
in user to visit and click once or twice on the page under his control.
A well-executed clickjacking attack is likely to go unnoticed by its victims.

= Remediation =
The application should instruct browsers not to allow other websites to load it in a frame, by adding
the X-Frame-Options: SAMEORIGIN server header.