Skip to content

Update: Clickjacking_Defense_Cheat_Sheet.md to address Double Clickjacking #1577

New issue
New issue
Open
#1609
Open
Update: Clickjacking_Defense_Cheat_Sheet.md to address Double Clickjacking#1577
#1609
Assignees
caffeine-rohit
Labels
ACK_OBTAINEDIssue acknowledged from core team so work can be done to fix it.UPDATE_CSIssue about the update/refactoring of a existing cheat sheet.
@kwwall

Description

@kwwall
kwwall
opened on Jan 5, 2025 · edited by kwwall
Collaborator

What is missing or needs to be updated?

The Clickjacking_Defense_Cheat_Sheet.md cheat sheet does not account for defenses from the new related attack dubbed "Double Clickjacking".

How should this be resolved?

At a minimum, we need to update this to mention that some of the defenses mentioned in the current CS are not effective. (Paulos Yibelo's blog post did not explictly mention whether frame-busting script was still effective, but it did note that relying only header defenses such as CSP frame-ancestors directory or X-Frame-Options or the "SameSite" cookie attribute were not effective.)

Other

Note: Do not ask me to submit a PR to address this issue as my depth of JavaScript is not sufficient for that. I only know enough to be effective at secure code reviews in regards to that.

Activity

kwwall
added
ACK_WAITINGIssue waiting acknowledgement from core team before to start the work to fix it.
UPDATE_CSIssue about the update/refactoring of a existing cheat sheet.
HELP_WANTEDIssue for which help is wanted to do the job.
on Jan 5, 2025
kwwall
changed the title [-]Update: Clickjacking_Defense_Cheat_Sheet.md[/-] [+]Update: Clickjacking_Defense_Cheat_Sheet.md to address Double Clickjacking[/+] on Jan 6, 2025
mackowski

mackowski commented on Jan 7, 2025

@mackowski
mackowski
on Jan 7, 2025
Collaborator

Thanks @kwwall! This is a good issue

mackowski
added
ACK_OBTAINEDIssue acknowledged from core team so work can be done to fix it.
and removed
ACK_WAITINGIssue waiting acknowledgement from core team before to start the work to fix it.
on Jan 7, 2025
yashgoyal0110

yashgoyal0110 commented on Jan 11, 2025

@yashgoyal0110
yashgoyal0110
on Jan 11, 2025

anyone still workig on it?

mackowski

mackowski commented on Jan 14, 2025

@mackowski
mackowski
on Jan 14, 2025
Collaborator

@yashgoyal0110 no-one is working on this currently. Do you want to help?

caffeine-rohit

caffeine-rohit commented on Feb 1, 2025

@caffeine-rohit
caffeine-rohit
on Feb 1, 2025
Contributor

This is a critical security issue that needs to be addressed. I understand how Double Clickjacking works and why CSP, X-Frame-Options, and SameSite cookies are insufficient to fight with it . Fixing this requires strengthening client-side defenses with JavaScript and enhancing server-side security with improved headers and frame-busting mechanisms.
Let me know if I can proceed with the fix.
@mackowski @kwwall @szh

kwwall

kwwall commented on Feb 1, 2025

@kwwall
kwwall
on Feb 1, 2025
CollaboratorAuthor

@caffeine-rohit - Go for it. Please see the more detailed response I left you on OWASP Slack.

caffeine-rohit
mentioned this on Feb 1, 2025
caffeine-rohit
linked a pull request that will close this issue on Feb 3, 2025
mackowski
assigned
caffeine-rohit
on Feb 5, 2025
mackowski
removed
HELP_WANTEDIssue for which help is wanted to do the job.
on Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

ACK_OBTAINEDIssue acknowledged from core team so work can be done to fix it.UPDATE_CSIssue about the update/refactoring of a existing cheat sheet.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    Participants

    @kwwall@mackowski@yashgoyal0110@caffeine-rohit

    Issue actions
      Update: Clickjacking_Defense_Cheat_Sheet.md to address Double Clickjacking · Issue #1577 · OWASP/CheatSheetSeries