Principles and prevention of IFRAME Trojans

(Reprinted. I am too lazy to think about it. I have not tried it myself)

I believe that most Webmasters have suffered iframe Trojan attacks, and a friend's website has been injected with N times of iframe (Comment: As webmasters, I should think about why they are suspended, vulnerabilities. Moreover, it is easy to inject iframe into ARP attacks, and only the LAN is always under threat.

Let's take a closer look at the principles today:

IE Only -- Generally, Only Internet Explorer is afraid of trojans such as iframe, so it is recommended that Internet Explorer be used.

Before reading this article, let's take a look at expression;

IE5 and later versions support the use of expression in CSS to associate CSS attributes with JavaScript scripts. the CSS attributes here can be the inherent or custom attributes of elements. That is to say, the CSS attribute can be followed by a JavaScript expression, and the value of the CSS attribute is equal to the result of Javascript expression execution. You can directly reference attributes and methods of an element in an expression, or use other browser objects. This expression is like a member function in this element.

Many of my friends know that CSS can directly describe the appearance of a visual tag. For example, p {color: red} indicates that the text color in all p marks on the webpage will change to red. Isn't iframe a mark? Start to write code with linger:
Iframe {... write the CSS code describing the appearance here ;};

Think about the best way to prevent the stuff in iframe from being downloaded? The core is to cut off the requests in the iframe, and cut off the request to quickly destroy the iframe object. How to implement it? Didn't expression be introduced above? Expression can execute JS scripts. The syntax format is as follows:

Mark the inherent CSS attribute name: expression (JS expression );
Or custom attribute name: expression (JS expression );

Here we choose the second type, the code should be roughly like this
Iframe {v: expression (JS expression );}

The next question is how to destroy all IFRAME objects on the webpage. The principle of using JS is as follows: Convert the request address in IFRAME to a blank page (about: blank ), remove the IFRAME object from the DOM (Document Object Model) to cut off all requests in the IFRAME. There are many ways to remove DOM nodes. I will use the outerhtml attribute here. The CSS code is as follows:
IFRAME {v: expression (this. src = 'about: blank ', this. outerhtml = '');}

Note: The preceding vword is a CSS attribute defined by linger. Here, this represents all IFRAME objects that will describe the appearance. The comma in the middle indicates that the two sentences are executed together, there is no execution priority, which is a powerful guarantee. About: blank represents a blank page, which everyone knows. The outerhtml attribute is the HTML code of the DOM object, while the innerhtml attribute is the HTML code contained in the DOM object (excluding itself.

If the code is ready, let me believe it to test whether it works.

First, create a new webpage and insert the above CSS code (or add the above sentence to your existing CSS code ):
<Style type = "text/CSS">
IFRAME {v: expression (this. src = 'about: blank ', this. outerhtml = '');}
</Style>

Then insert several IFRAME codes on this page, assuming they are Trojans. The Code is as follows:
<IFRAME src = ""> </iframe> admin5
<IFRAME src = "http://www.caoxoo.com/"> </iframe>
<IFRAME src = "http://www.ssguo.com/"> </iframe>

Save it as noiframe.htm and open the browser to test it. (You need to enable the prompt bar of the script that is disabled at the top of the local test ). I use the packet capture tool here for testing, but there is no need to use the packet capture tool. The simplest and most effective way is to open the cache folder of IE, clear it first, and then refresh the page, check whether there are any files in these three websites in the cache folder. If not, it indicates that no request results were returned-the test results were satisfactory, and my face was smiling ^ *. At this time, my colleague handed me a piece of cake, which was delicious.

Tip: Windows XP SP2 cache folder Location C: \ Documents ents and Settings \ Administrator \ Local Settings \ Temporary Internet Files

Careful friends found the problem. What should I do if I want to use iframe on my webpage?

A: If you want to make your iframe appear on the webpage, and other IFRAME trojans do not work, add
# Caoxoo {v: expression ()! Important}

The corresponding IFRAME code is:
<Iframe id = "caoxoo" name = "caoxoo" src = "http://www.caoxoo.com/"> </iframe>
OK.

Tip: "!" is given priority in IE7 "! The style described by important, which IE6 does not know! Important adopts the proximity principle, so the code of IE6 can be placed at the end of CSS.

Many of my friends have questions about f126. They asked me why I got "f126" and I answered this question-This f126 is random, as long as the ID attribute in the iframe below is consistent with that in CSS. My colleague asked me to deliver another piece of cake. I said I was full ..

Of course, the Trojan can construct such code
<Iframe src = "URL"> </iframe>
It invalidates my defense method, but it has to look at the prefix V in IFRAME in my CSS code. If my V is changed, haha, doesn't it work!

Conclusion: The above method only stops the IFRAME request and destroys the IFRAME itself, but the trojan mounting method will change in the future, for example
<SCRIPT> </SCRIPT>
This method cannot be used to solve the problem. This method is not the final solution. The final solution is to find out the cause of the failure of IFRAME and block the source. This is not my business!