亚洲免费在线-亚洲免费在线播放-亚洲免费在线观看-亚洲免费在线观看视频-亚洲免费在线看-亚洲免费在线视频

frame-jacking(clicking jacking, Redress issu

系統 2227 0

?

?

Brief

Currently there is a vulnerability of some application which is the application can be opened? inside a frame, and the application does not detect whether the application has been loaded in frames, which could lead to an attack by which users are persuaded to perform site actions without their knowledge. This is called clickJacking or UI Redress attacks.

Solutions

Even through there are no particularly reliable and non-intrusive ways for applications to prevent attacks, Relatively there are two major approach to fix this issue,? one is use frame-busting scripts which is a client side solution, another is setting the x-frame-options in the http header which is a server side solution.

  • Frame-busting scripts?

???????? This approach is to include JavaScript to detect having the page rendered within a cross-domain <IFRAME> , and try to break out of it, e.g.

?
                      try {
            if (top.location.hostname != self.location.hostname) throw 1;
         } catch (e) {
            top.location.href = self.location.href;
         }
                    
?

It should be noted that there is no strict guarantee that the update of top.location would always work,particularly if dummy setters are defined, or if there are collaborating, attacker-controlled <IFRAME> containers performing conflicting location updates through various mechanisms.A more drastic solution would be to also overwrite or hide the current document pending page transition,or to perform onclick checks on all UI actions, and deny them from within frames.
All of these mechanisms also fail if the user has JavaScript disabled globally, or for the attacked site.

Further more the busting scripts can be defeated also, one of the approach outlined below:

http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed/

???? Pros:

  • Almost all the browsers supproting this approach.

???? Cons:

  • if the JS was disabled this approach will not work.
  • This approach can also be defeated

???

  • X-FRAME-OPTION

    Back in January of 2009, IE8’s support for a new header-specified directive: X-Frame-Options, that can be used to mitigate ClickJacking attacks. As a declarative security measure, X-Frame-Options has minimal compatibility impact, but requires adoption by clients and servers in order to provide its security benefit.
    Web developers can send a HTTP header named X-FRAME-OPTIONS on HTML responses to restrict how the page may be framed. By setting this value to DENY which will prevent the page from rendering if it will be contained within frame.
    Different browser will have different behaviour, some browsers (e.g. IE, Opera) will show a message that allows the user to safely open the target page in a new window. Other implementations (e.g. Chrome, Safari) will simply render an empty frame.
    Pros:

  • This approach have no dependent on whether the JS was disabled or not.
  • Currently there is no bypass solution for this, if the browser support x-frame-options.

???????? Cons:

  • This approach will not take effect on some old version of browsers who is not supporting x-frame-options.

Browsers Supporting X-Frame-Options

  • IE8+
  • Opera 10.50+
  • Safari 4+
  • Chrome 4.1.249.1042+
  • Firefox 3.6.9 (or earlier with NoScript)

Testing result with x-frame-options set to DENY

Browser Version Results
Firefox 3.5.5 with NoScript 3.5.5 application was blocked with an option to open in another window
Chrome 21.0.1180.89 application was blocked with a blank frame
Safari 4.0.3 application was blocked with a blank frame
IE6 6.0 application can still been opened
IE7 ? ?
IE8 ? ?
Opera ? ?

Testing result with frame-busting scripts

Browser Version Results
Firefox 3.5.5 with NoScript 3.5.5 application will bust the window
Chrome 21.0.1180.89 application will bust the window
Safari 4.0.3 application will bust the window
IE6 6.0 application will bust the window
IE7 ? ?
IE8 ? ?
Opera ? ?

frame-jacking(clicking jacking, Redress issue)


更多文章、技術交流、商務合作、聯系博主

微信掃碼或搜索:z360901061

微信掃一掃加我為好友

QQ號聯系: 360901061

您的支持是博主寫作最大的動力,如果您喜歡我的文章,感覺我的文章對您有幫助,請用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點擊下面給點支持吧,站長非常感激您!手機微信長按不能支付解決辦法:請將微信支付二維碼保存到相冊,切換到微信,然后點擊微信右上角掃一掃功能,選擇支付二維碼完成支付。

【本文對您有幫助就好】

您的支持是博主寫作最大的動力,如果您喜歡我的文章,感覺我的文章對您有幫助,請用微信掃描上面二維碼支持博主2元、5元、10元、自定義金額等您想捐的金額吧,站長會非常 感謝您的哦!!!

發表我的評論
最新評論 總共0條評論
主站蜘蛛池模板: 青青久久国产成人免费网站 | 久久国产精品麻豆映画 | 五月婷婷免费视频 | 久久久综合色 | 日本不卡高清免费v | 高清一级毛片 | 欧美性猛交99久久久久99 | 99久久精品视香蕉蕉er热资源 | 99精品久久久久久久婷婷 | 亚洲精品日韩在线一区 | 九九精 | 日韩一区视频在线 | 亚色在线视频 | 麻豆国内精品久久久久久 | 日本aaaa视频 | 97久久国产一区二区三区四区 | 一区二区三区国产 | 国产成人高清视频免费播放 | 国产精品无码久久av | 日日噜噜爽爽狠狠视频 | 欧美日本激情 | 2021成人国产精品 | 国产欧美综合在线一区二区三区 | 91久久精品一区二区三区 | 亚洲欧美日本在线观看 | 精品少妇一区二区三区视频 | 欧美一区二区三区在线 | 亚洲欧美精品 | 成人短视频视频在线观看网站 | 日本中文在线三级在线播放 | 日本欧美一区二区三区在线 | aⅴ免费视频 | 九九热精品在线视频 | 波多野结衣一区2区3区 | 在线观看精品国内福利视频 | www.天天射 | 嘿咻成人免费视频欧美激情 | 亚洲精品国产一区二区图片欧美 | 一区二区三区在线 | 日本 | 久久91亚洲精品中文字幕 | 亚洲国产系列一区二区三区 |