Interface operation hijacking and HTML5 security

First, interface operation hijacking

1) ClickJacking

Clickjacking Click Hijack, which is a visual deception.

The attacker uses a transparent, invisible iframe that is overwritten at a location on the Web page and convinces the user to click on the IFRAME.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/211606/201702/211606-20170204131625823-2004021452. PNG "width=" 625 "style=" border:0px;margin-top:0px; "/>

2) tapjacking

Mobile devices are now using more and more, tapjacking (touch screen hijacking) is derived from the features of mobile devices.

Mobile phone screen range is limited, mobile browser in order to save space, you can hide the address bar, mobile phone on the visual deception will be more easy to implement.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/211606/201702/211606-20170204132916573-1653525794. PNG "width=" 590 "style=" border:0px;margin-top:0px; "/>

1. The top of the first one shows the browser address bar, and the attacker draws a fake address bar on the page;

2. The second picture of the Real browser address bar has been automatically hidden, when the page only left the false address bar;

3. The third Buchbinderei is the case where the browser address bar is normally hidden.

This visual-impact attack can be exploited for fishing and fraud.

3) X-frame-options

Against the traditional interface hijacking, by prohibiting the IFRAME to prevent.

There is a response header x-frame-optionsin the HTTP header with three values to choose from:

1. DENY: This page does not allow any iframe pages to be loaded.

2. Sameorigin: This page can load the IFRAME page of the same domain name .

3. Allow-from URI: This page can load the IFRAME page of the specified source .

Second, HTML5 security

Some of the new tags and attributes in HTML5 have resulted in a change in web attacks such as XSS, which is summarized in HTML5 Security cheatsheet .

1) Hide URL Malicious code

In reflective XSS, malicious code is written in the URL parameter so that the user can see malicious code, such as the following link:

Http://www.csrf.net/csrf.html?id=<script>111</script>

the browser's history can be manipulated through window.history.

Pushstate () has three parameters: A Status object, a caption, and an optional URL address.

History.pushstate ({}, "", Location.href.split ('? '). Shift ());

After executing the above code, the parameters are hidden .

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/211606/201702/211606-20170204150739776-2043335397. PNG "style=" border:0px;margin-top:0px; "/>

The new URL address is the following:

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/211606/201702/211606-20170204150823026-1581709301. PNG "style=" border:0px;margin-top:0px; "/>

"Pushstate" can also Forge browser history .

for (i=0; i<10; i++) history.pushstate ({}, "", "/" +i+ ". html");

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/211606/201702/211606-20170204151119058-1932308250. PNG "style=" border:0px;margin-top:0px; "/>

2) Zombie Network under HTML5

Botnet (Botnet) refers to the implantation of specific malicious programs in a large number of computers, enabling the controller to send instructions directly to other computers through several computers for cyber attacks.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/211606/201702/211606-20170204153034511-675768952. JPG "style=" border:0px;margin-top:0px; "/>

The Web front-end botnet can be used as a DDoS attack, involving web worker techniques and cors processing mechanisms , which are then propagated through web worms.

Web worker is a multithreaded mechanism that can execute malicious JS code asynchronously without affecting the user's normal operation in the browser.

The cors processing mechanism works at the browser level, if the server does not allow cross-site, the browser intercepts the results returned by the server, that is, cross-domain requests, and the server responds normally.

Then you can write a script for an asynchronous request (Worker.js) in advance, and then execute the script through a web worker, constantly initiating requests to the target server.

650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" Margin-top:10px;border:none; "/>

var worker_loc = ' worker.js ';//The script that encapsulates the AJAX request var target = ' http://news.qq.com/photo.shtml ';//URL to attack//can instantiate multiple Web      Workervar workers = [];for (i = 0; i < 1; i++) {workers[i] = new Worker (WORKER_LOC); Workers[i].postmessage (target);//cross-domain message delivery}

650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" Margin-top:10px;border:none; "/>

Interface operation hijacking and HTML5 security