Update: Clickjacking_Defense_Cheat_Sheet.md to address Double Clickjacking #1577
Assignees
Labels
ACK_OBTAINED
Issue acknowledged from core team so work can be done to fix it.
UPDATE_CS
Issue about the update/refactoring of a existing cheat sheet.
Comments
kwwall
added
ACK_WAITING
kwwall
changed the title
|
Thanks @kwwall! This is a good issue |
mackowski
added
ACK_OBTAINED
|
anyone still workig on it? |
|
@yashgoyal0110 no-one is working on this currently. Do you want to help? |
|
This is a critical security issue that needs to be addressed. I understand how Double Clickjacking works and why CSP, X-Frame-Options, and SameSite cookies are insufficient to fight with it . Fixing this requires strengthening client-side defenses with JavaScript and enhancing server-side security with improved headers and frame-busting mechanisms. |
|
@caffeine-rohit - Go for it. Please see the more detailed response I left you on OWASP Slack. |
This was referenced Feb 1, 2025
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is missing or needs to be updated?
The Clickjacking_Defense_Cheat_Sheet.md cheat sheet does not account for defenses from the new related attack dubbed "Double Clickjacking".
How should this be resolved?
At a minimum, we need to update this to mention that some of the defenses mentioned in the current CS are not effective. (Paulos Yibelo's blog post did not explictly mention whether frame-busting script was still effective, but it did note that relying only header defenses such as CSP frame-ancestors directory or X-Frame-Options or the "SameSite" cookie attribute were not effective.)
Other
Note: Do not ask me to submit a PR to address this issue as my depth of JavaScript is not sufficient for that. I only know enough to be effective at secure code reviews in regards to that.
The text was updated successfully, but these errors were encountered: