"White hat Talk Web Security" The 5th chapter of the study note click Hijack (clickjacking)

5th Chapter Click Hijack (clickjacking) 5.1What is click Hijacking

Click Hijacking is a visual deception. A means of hiding malicious code, such as a button, in a Web page, and enticing a user to click on it.

Key Features

q Click Hijacking is a malicious attack technique that tracks network users, gets their private information, or remotely controls their computer by letting them click on seemingly normal web pages. Many browsers and operating platforms have such vulnerabilities.

q Click Hijacking technology can appear in the form of embedded code or text, to complete the attack without the user's knowledge, such as clicking on a surface display is "play" a video button, while the actual operation is to change the user's social network personal information to "public" status.

q Click Hijacking the word first appeared in the year, was pioneered by Internet security experts Robert Hansen and Jelimi Glaussmann, the word is actually "click" (click) and "hijack" (hijacking A combination of two words.

5.2 FlashClick Hijack

5.3Image Overlay Attack

The essence of click Hijacking is a visual deception. Along this line of thought, there are also some attack methods that can play a similar role, covering more than slices.

since tags are open to users in many systems, there are many sites in the real world where Xsio attacks are possible. When defending against Xsio , you need to check the user-submitted HTML code that the tag's style property can cause to emerge.

5.4drag hijacking and data theft

The idea of "drag-and- drop hijacking " is to persuade a user to " drag " the data that an attacker wants from a hidden , invisible iframe and place it in another page that the attacker can control. thereby stealing data.

in the With the support of JavaScript or Java API , this attack process becomes very covert. Because it breaks through some of the innate limitations of traditional ClickJacking , this new "drag-and- drop hijacking " can cause even greater damage.

5.5 ClickJacking 3.0: Touch Screen hijacking

The " touch screen hijacking " attack on a smartphone is called tapjacking.

5.6Defenseclickjacking5.6.1 Frame Busting

The nesting of IFrame is forbidden by JS code . This method is not very practical.

if (top!==window)

Top.location = window.location.href;

ClickJacking is a visual deception, so how to defend it? For traditional ClickJacking, it is generally forbidden to avoid cross-domain iframe

5.6.2 X-frame-options

add x-frame-options sameorigin to the header.

It has three optional values:

q DENY

q Sameorigin

q Allow-from origin

Duty is Deny , the browser rejects the current page to load any frame page, and if the value is Sameorigin, the address of the frame page can only be a page under a homologous domain name; Allow-from, you can define a page address that allows frame loading.

except X-frame-options ,Firefox's "Content Security Policy" and Firefox 's NoScript extensions can also be effective against ClickJacking, which gives us more options

This article is from the "dream to think XI" blog, please be sure to keep this source http://qiangmzsx.blog.51cto.com/2052549/1859549

"White hat Talk Web Security" The 5th chapter of the study note click Hijack (clickjacking)