Code: Select all
Accept SUB from SELF++
Code: Select all
Accept INCLUSION(SUBDOC) from SELF++
I believe the above two rulesets are functionally identical. In either case, I expected either of these rulesets to always Anonymize a site if it is within an iframe, unless the parent to the iframe is part of the same site.
In reality, that is not the result. Instead, "from SELF++" compares not to the parent, but rather to the most recent request (which may originate within the iframe). This is particularly surprising with the "Accept INCLUSION(SUBDOC) from SELF++" version of the ruleset -- in cases where the site is not an inclusion-from-itself as the line reads, the request is Accept'ed anyway (this is because ABE instead reads this as the site is an inclusion, (comma), and is a request from itself).
evil.com has an iframe to bank.com ... when the iframe initially loads, the request has been Anonymize'd (user is not logged in) ... however, any subsequent request initiated within the iframe no longer gets Anonymize'd (because it is considered "from" bank.com) ... therefore simply clicking a link within the iframe logs the user in (this is assuming they didn't log out last time they accessed bank.com) ...
So evil.com can clickjack to log the user in, and then continue clickjacking after the user has been logged in to do evil things (this is assuming other protections against clickjacking are not enabled or have been bypassed (either of which is possible)).
If the behavior I have described is not a bug, could you please add a way for ABE to compare against the i/frame's parent?
This would also render [RFE] option to disable password filling for i/frames moot with respect to clickjacking.