亚洲免费在线-亚洲免费在线播放-亚洲免费在线观看-亚洲免费在线观看视频-亚洲免费在线看-亚洲免费在线视频

frame-jacking(clicking jacking, Redress issu

系統 2227 0

?

?

Brief

Currently there is a vulnerability of some application which is the application can be opened? inside a frame, and the application does not detect whether the application has been loaded in frames, which could lead to an attack by which users are persuaded to perform site actions without their knowledge. This is called clickJacking or UI Redress attacks.

Solutions

Even through there are no particularly reliable and non-intrusive ways for applications to prevent attacks, Relatively there are two major approach to fix this issue,? one is use frame-busting scripts which is a client side solution, another is setting the x-frame-options in the http header which is a server side solution.

  • Frame-busting scripts?

???????? This approach is to include JavaScript to detect having the page rendered within a cross-domain <IFRAME> , and try to break out of it, e.g.

?
                      try {
            if (top.location.hostname != self.location.hostname) throw 1;
         } catch (e) {
            top.location.href = self.location.href;
         }
                    
?

It should be noted that there is no strict guarantee that the update of top.location would always work,particularly if dummy setters are defined, or if there are collaborating, attacker-controlled <IFRAME> containers performing conflicting location updates through various mechanisms.A more drastic solution would be to also overwrite or hide the current document pending page transition,or to perform onclick checks on all UI actions, and deny them from within frames.
All of these mechanisms also fail if the user has JavaScript disabled globally, or for the attacked site.

Further more the busting scripts can be defeated also, one of the approach outlined below:

http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed/

???? Pros:

  • Almost all the browsers supproting this approach.

???? Cons:

  • if the JS was disabled this approach will not work.
  • This approach can also be defeated

???

  • X-FRAME-OPTION

    Back in January of 2009, IE8’s support for a new header-specified directive: X-Frame-Options, that can be used to mitigate ClickJacking attacks. As a declarative security measure, X-Frame-Options has minimal compatibility impact, but requires adoption by clients and servers in order to provide its security benefit.
    Web developers can send a HTTP header named X-FRAME-OPTIONS on HTML responses to restrict how the page may be framed. By setting this value to DENY which will prevent the page from rendering if it will be contained within frame.
    Different browser will have different behaviour, some browsers (e.g. IE, Opera) will show a message that allows the user to safely open the target page in a new window. Other implementations (e.g. Chrome, Safari) will simply render an empty frame.
    Pros:

  • This approach have no dependent on whether the JS was disabled or not.
  • Currently there is no bypass solution for this, if the browser support x-frame-options.

???????? Cons:

  • This approach will not take effect on some old version of browsers who is not supporting x-frame-options.

Browsers Supporting X-Frame-Options

  • IE8+
  • Opera 10.50+
  • Safari 4+
  • Chrome 4.1.249.1042+
  • Firefox 3.6.9 (or earlier with NoScript)

Testing result with x-frame-options set to DENY

Browser Version Results
Firefox 3.5.5 with NoScript 3.5.5 application was blocked with an option to open in another window
Chrome 21.0.1180.89 application was blocked with a blank frame
Safari 4.0.3 application was blocked with a blank frame
IE6 6.0 application can still been opened
IE7 ? ?
IE8 ? ?
Opera ? ?

Testing result with frame-busting scripts

Browser Version Results
Firefox 3.5.5 with NoScript 3.5.5 application will bust the window
Chrome 21.0.1180.89 application will bust the window
Safari 4.0.3 application will bust the window
IE6 6.0 application will bust the window
IE7 ? ?
IE8 ? ?
Opera ? ?

frame-jacking(clicking jacking, Redress issue)


更多文章、技術交流、商務合作、聯系博主

微信掃碼或搜索:z360901061

微信掃一掃加我為好友

QQ號聯系: 360901061

您的支持是博主寫作最大的動力,如果您喜歡我的文章,感覺我的文章對您有幫助,請用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點擊下面給點支持吧,站長非常感激您!手機微信長按不能支付解決辦法:請將微信支付二維碼保存到相冊,切換到微信,然后點擊微信右上角掃一掃功能,選擇支付二維碼完成支付。

【本文對您有幫助就好】

您的支持是博主寫作最大的動力,如果您喜歡我的文章,感覺我的文章對您有幫助,請用微信掃描上面二維碼支持博主2元、5元、10元、自定義金額等您想捐的金額吧,站長會非常 感謝您的哦!!!

發表我的評論
最新評論 總共0條評論
主站蜘蛛池模板: 亚洲精品色 | 99r精品视频| 久久久久久影院 | 成人在线午夜 | 国内精品视频在线播放一区 | 黄色成人在线播放 | 天天爱天天做久久天天狠狼 | 4hu四虎| 九九99久久精品国产 | 国产手机在线视频放线视频 | 成人黄色一级毛片 | 四虎影院海外永久 | 最猛黑人xxxⅹ黑人猛交 | 狠狠操天天 | 97视频在线免费 | 亚洲欧美18v中文字幕高清 | 国产精品人成福利视频 | 炮房五月| 一级在线视频 | 亚洲精品一区二区三区福利 | 天天天天色 | 欧美人成毛片在线播放 | 九九热国产在线 | 日韩中文字幕精品 | 国产视频第二页 | 2020国产成人精品免费视频 | 欧美在线一区二区三区 | 福利网站在线播放 | 久久久高清日本道免费观看 | 永久看日本大片免费 | 欧美午夜精品 | 欧美日韩中文国产一区 | 日韩一级视频免费观看 | 成人影院在线免费观看 | 亚洲欧美综合人成野草 | 欧美国产精品一区二区免费 | 色综合a怡红院怡红院首页 色综合h | 亚洲一级毛片免费观看 | 精品免费视在线视频观看 | 国产精品视频一区二区三区经 | 欧美成人区 |