Protection of XSSJacking

Question

Hi Guys&nbsp;
New Attack Called “XSSJacking” Discovered That Combined of Clickjacking, Pastejacking and Self-XSS Attacks&nbsp;
Does anyone knows any resolution to this vulnerability using ASM ? Or Protection with XSS ,Clickjacking will be sufficient to resolve it&nbsp;
Regards&nbsp;

samstep · Answer

The name "XSSJacking" has been coined only a few days ago by researcher Dylan Ayrey. The attack is a combination of XSS, ClickJacking and CSRF - all these attacks are mitigated by F5 ASM individually and together.

samstep · Answer

PasteJacking is a CLIENT-side attack where malicious site tricks the user to copy some text, then the malicious JavaScript code replaces the contents of the copied text in the clipboard with a malicious XSS payloads.The malicious site then ASKs the user to paste it. Because it is a CLIENT-side attack starting on a MALICIOUS site (not protected by ASM) Pastejacking cannot be stopped as it happens in memory of user's BROWSER. However when the user pastes the XSS payload to a legitimate site (protected by ASM) ASM will DETECT the XSS in the input (provided the policy is configured correctly to detect and block XSS).

Forum Discussion

Protection of XSSJacking

2 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Beyond REST: Protecting GraphQL

L7 DoS Protection with NGINX App Protect DoS

Managing NGINX App Protect WAF for Beginners

F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions

Cookie-based DDoS protection