Home > Cloud Computing > Cloud Security

ClickJacking Analysis for Web Security)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

ClickJacking Analysis for Web Security)

ClickJacking is a visual deception. There are two methods. One is that an attacker uses a transparent iframe to overwrite a webpage and then induces the user to perform operations on the webpage, at this time, the user will click the transparent iframe page without knowing it; the second is that the attacker uses an image to overwrite the page and obscure the meaning of the original position of the page;

Iframe Overwrite

Examples

1. If we have a post on Baidu, we want to secretly let others pay attention to it. So we prepare a page:

  
PS: The page looks like this. Of course, the truly attacked page will be more refined, not as simple as that.
2. After the website is spread out, the user clicks "View Details" and clicks "follow.
PS: You can set the iframe transparency to 0.3 to view the actual point.
3. There will be another fan.
Solution
Use an HTTP header -- X-Frame-Options. X-Frame-Options is generated to solve ClickJacking. It has three optional values:
DENY: the browser rejects the current page from loading any frame page;
SAMEORIGIN: The frame page address can only be a page under the same-source domain name;
ALLOW-FROM origin: the address of the page that allows frame loading;
PS: browser support: IE8 +, Opera10 +, Safari4 +, Chrome4.1.249.1042 +, and Firefox3.6.9.
Specific settings:
Apache configuration:
Header always append X-Frame-Options SAMEORIGIN
Nginx Configuration:
add_header X-Frame-Options SAMEORIGIN;
IIS configuration:
  
        ...     
           
    
                 "
    
   
  X-Frame-Options" value="SAMEORIGIN" />                 ... 
 
 
Image coverage
Cross-Site Image Overlaying (Cross-Site Image Overlaying) allows attackers to overwrite images on a webpage using the style or CSS of images. Of course, the information contained in the image may have the meaning of deception, so that the user can achieve the goal of deception without clicking.
PS: This attack can easily appear on the website's own page.
Example
Add an image where HTML content can be input, but overwrite the image at the specified position.
<a href="http://tieba.baidu.com/f?kw=%C3%C0%C5%AE">     a>
Solution
When defending against image overwrite attacks, you need to check whether the style attribute of the img tag may pop up in the HTML code submitted by the user.
Summary
Clickjacking is an attack that many people do not pay much attention to. It needs to trick users into interacting with the page, and the attack cost is higher. In addition, developers may think that users are stupid and do not pay attention to such attacks.
 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
cyber security market analysis web page analysis google technical analysis for dummies nlp for sentiment analysis data analysis for dummies circuit analysis for dummies word2vec for sentiment analysis
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More