?
?
Brief
Currently there is a vulnerability of some application which is the application can be opened? inside a frame, and the application does not detect whether the application has been loaded in frames, which could lead to an attack by which users are persuaded to perform site actions without their knowledge. This is called clickJacking or UI Redress attacks.
Solutions
Even through there are no particularly reliable and non-intrusive ways for applications to prevent attacks, Relatively there are two major approach to fix this issue,? one is use frame-busting scripts which is a client side solution, another is setting the x-frame-options in the http header which is a server side solution.
???????? This approach is to include JavaScript to detect having the page rendered within a cross-domain <IFRAME> , and try to break out of it, e.g.
try {
if (top.location.hostname != self.location.hostname) throw 1;
} catch (e) {
top.location.href = self.location.href;
}
?
|
It should be noted that there is no strict guarantee that the update of top.location would always work,particularly if dummy setters are defined, or if there are collaborating, attacker-controlled <IFRAME> containers performing conflicting location updates through various mechanisms.A more drastic solution would be to also overwrite or hide the current document pending page transition,or to perform onclick checks on all UI actions, and deny them from within frames.
All of these mechanisms also fail if the user has JavaScript disabled globally, or for the attacked site.
Further more the busting scripts can be defeated also, one of the approach outlined below:
http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed/
???? Pros:
- Almost all the browsers supproting this approach.
???? Cons:
- if the JS was disabled this approach will not work.
- This approach can also be defeated
???
-
X-FRAME-OPTION
Back in January of 2009, IE8’s support for a new header-specified directive: X-Frame-Options, that can be used to mitigate ClickJacking attacks. As a declarative security measure, X-Frame-Options has minimal compatibility impact, but requires adoption by clients and servers in order to provide its security benefit.
Web developers can send a HTTP header named X-FRAME-OPTIONS on HTML responses to restrict how the page may be framed. By setting this value to DENY which will prevent the page from rendering if it will be contained within frame.
Different browser will have different behaviour, some browsers (e.g. IE, Opera) will show a message that allows the user to safely open the target page in a new window. Other implementations (e.g. Chrome, Safari) will simply render an empty frame.
Pros:
- This approach have no dependent on whether the JS was disabled or not.
- Currently there is no bypass solution for this, if the browser support x-frame-options.
???????? Cons:
- This approach will not take effect on some old version of browsers who is not supporting x-frame-options.
Browsers Supporting X-Frame-Options
- IE8+
- Opera 10.50+
- Safari 4+
- Chrome 4.1.249.1042+
- Firefox 3.6.9 (or earlier with NoScript)
Testing result with x-frame-options set to DENY
| Firefox 3.5.5 with NoScript | 3.5.5 | application was blocked with an option to open in another window |
| Chrome | 21.0.1180.89 | application was blocked with a blank frame |
| Safari | 4.0.3 | application was blocked with a blank frame |
| IE6 | 6.0 | application can still been opened |
| IE7 | ? | ? |
| IE8 | ? | ? |
| Opera | ? | ? |
Testing result with frame-busting scripts
| Firefox 3.5.5 with NoScript | 3.5.5 | application will bust the window |
| Chrome | 21.0.1180.89 | application will bust the window |
| Safari | 4.0.3 | application will bust the window |
| IE6 | 6.0 | application will bust the window |
| IE7 | ? | ? |
| IE8 | ? | ? |
| Opera | ? | ? |
更多文章、技術交流、商務合作、聯系博主
微信掃碼或搜索:z360901061
微信掃一掃加我為好友
QQ號聯系: 360901061
您的支持是博主寫作最大的動力,如果您喜歡我的文章,感覺我的文章對您有幫助,請用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點擊下面給點支持吧,站長非常感激您!手機微信長按不能支付解決辦法:請將微信支付二維碼保存到相冊,切換到微信,然后點擊微信右上角掃一掃功能,選擇支付二維碼完成支付。
【本文對您有幫助就好】元
