`
elicer
  • 浏览: 133321 次
  • 性别: Icon_minigender_1
  • 来自: 上海
社区版块
存档分类
最新评论

frame-jacking(clicking jacking, Redress issue)

阅读更多

 

 

Brief

Currently there is a vulnerability of some application which is the application can be opened  inside a frame, and the application does not detect whether the application has been loaded in frames, which could lead to an attack by which users are persuaded to perform site actions without their knowledge. This is called clickJacking or UI Redress attacks.

Solutions

Even through there are no particularly reliable and non-intrusive ways for applications to prevent attacks, Relatively there are two major approach to fix this issue,  one is use frame-busting scripts which is a client side solution, another is setting the x-frame-options in the http header which is a server side solution.

  • Frame-busting scripts 

         This approach is to include JavaScript to detect having the page rendered within a cross-domain <IFRAME>, and try to break out of it, e.g.

 
try {
            if (top.location.hostname != self.location.hostname) throw 1;
         } catch (e) {
            top.location.href = self.location.href;
         }
 

It should be noted that there is no strict guarantee that the update of top.location would always work,particularly if dummy setters are defined, or if there are collaborating, attacker-controlled <IFRAME> containers performing conflicting location updates through various mechanisms.A more drastic solution would be to also overwrite or hide the current document pending page transition,or to perform onclick checks on all UI actions, and deny them from within frames.
All of these mechanisms also fail if the user has JavaScript disabled globally, or for the attacked site.

Further more the busting scripts can be defeated also, one of the approach outlined below:

http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed/

     Pros:

  • Almost all the browsers supproting this approach.

     Cons:

  • if the JS was disabled this approach will not work.
  • This approach can also be defeated

   

  • X-FRAME-OPTION

    Back in January of 2009, IE8’s support for a new header-specified directive: X-Frame-Options, that can be used to mitigate ClickJacking attacks. As a declarative security measure, X-Frame-Options has minimal compatibility impact, but requires adoption by clients and servers in order to provide its security benefit.
    Web developers can send a HTTP header named X-FRAME-OPTIONS on HTML responses to restrict how the page may be framed. By setting this value to DENY which will prevent the page from rendering if it will be contained within frame.
    Different browser will have different behaviour, some browsers (e.g. IE, Opera) will show a message that allows the user to safely open the target page in a new window. Other implementations (e.g. Chrome, Safari) will simply render an empty frame.
    Pros:

  • This approach have no dependent on whether the JS was disabled or not.
  • Currently there is no bypass solution for this, if the browser support x-frame-options.

         Cons:

  • This approach will not take effect on some old version of browsers who is not supporting x-frame-options.

Browsers Supporting X-Frame-Options

  • IE8+
  • Opera 10.50+
  • Safari 4+
  • Chrome 4.1.249.1042+
  • Firefox 3.6.9 (or earlier with NoScript)

Testing result with x-frame-options set to DENY

Browser Version Results
Firefox 3.5.5 with NoScript 3.5.5 application was blocked with an option to open in another window
Chrome 21.0.1180.89 application was blocked with a blank frame
Safari 4.0.3 application was blocked with a blank frame
IE6 6.0 application can still been opened
IE7    
IE8    
Opera    

Testing result with frame-busting scripts

Browser Version Results
Firefox 3.5.5 with NoScript 3.5.5 application will bust the window
Chrome 21.0.1180.89 application will bust the window
Safari 4.0.3 application will bust the window
IE6 6.0 application will bust the window
IE7    
IE8    
Opera    
分享到:
评论

相关推荐

    适用于iOS / tvOS的Parallax Scroll-Jacking Effects引擎.zip

    适用于iOS / tvOS的Parallax Scroll-Jacking Effects引擎.zip,Parallax Scroll-Jacking Effects Engine for iOS / tvOS

    Disable Scroll Jacking-crx插件

    让我知道,我将对其进行修复:https://gitreports.com/issue/joshbalfour/disable-scroll-jacking?name=optional&email=optional@co.com隐私政策:https://joshbalfour.github.io/ disable-scroll-jacking / privacy...

    禁用滚动顶起「Disable Scroll Jacking」-crx插件

    让我知道,我会解决它:https://gitreports.com/issue/joshbalfour/disable-scroll-jacking?name=optional&email=optional@co.com 隐私政策:https://joshbalfour.github.io/disable-scroll-jacking/privacy.html ...

    jacking demo

    根据提供的文件信息,本文将围绕“jacking demo”这一主题展开,主要介绍Jetspeed的layout和portlet的相关知识点。 ### Jetspeed简介 Jetspeed是Apache软件基金会的一个开源项目,它为构建企业级门户提供了完整的...

    VCS:车辆稳定性控制系统

    蓝牙 [使用 Pub Nub 通信 API 模拟通过 Blue-Jacking 进行实时通信]。 GPS(仅在汽车发动机点火时使用,用于初始化 x,y(即当前纬度/经度))。 [初始位置信息] 指南针 [了解指定汽车的瞬时方向] 使用的库/API: ...

    Android媒体播放功能曝出安全漏洞.pdf

    这种技术被称为“tap-jacking”或触屏劫持,早已被恶意软件开发者滥用。攻击者可以通过覆盖SystemUI警告信息,引导用户误操作,提升应用权限,进而获取敏感信息。 谷歌已经在Android Oreo(8.0)版本中修复了这一...

    巧妙绕过一流监控,拿下shell1

    1. **旁注攻击(Side-Jacking)**:当主站的安全性较高,难以直接渗透时,黑客通常会尝试攻击与主站相关的其他子站或服务器,称为旁注攻击。在这个案例中,由于主站无明显漏洞,作者转向了旁站。 2. **虚拟机识别**...

    No more scroll jacking-crx插件

    语言:English 此扩展可防止滚动顶针,同时按住META密钥 滚动(或任何其他元键,控制,ALT),同时滚动和滚动顶针将被禁用。

    Social Jacking Alarm-crx插件

    语言:English (UK) 防止您的浏览器被劫持。 适用于Google Chrome的应用程序,可以保护您的社交网络。 现在,您可以放心使用键盘,与此同时,还可以抓住那些试图闯入您的浏览器的人,获得一些乐趣。

    WEB旁注入侵检测

    旁注(Side-Jacking)一词来源于黑客通过监听网络流量,抓取并利用未加密的数据,如会话令牌,来进行非法操作。入侵检测则是为了预防、发现并响应这些恶意活动的关键步骤。 在Web旁注入侵检测中,我们需要理解以下...

    Android-AndroidVM注入和BinderJacking示例代码以及一些关于root的ramblings

    Android系统采用了严格的权限模型,但有时开发者或研究人员为了测试、调试或安全研究,需要深入系统内部,这涉及到Android虚拟机(VM)注入和Binder通信的操控,即所谓的“Binder Jacking”。本主题主要探讨这两个概念...

    社会顶峰报警「Social Jacking Alarm」-crx插件

    防止您的浏览器劫持尝试。 适用于Google Chrome的应用程序,可以保护您的社交网络。 现在,您可以放心使用键盘,与此同时,还可以抓住那些试图闯入您的浏览器的人,获得一些乐趣。 支持语言:English (UK)

    行业分类-设备装置-一种浮式自升式钻井平台.zip

    完成作业后,平台会通过“起桩”(jacking up)操作,将桩腿从海底拔出,恢复浮游状态,然后移动到下一个作业地点。 浮式自升式钻井平台的优势在于: 1. **机动性**:与固定式平台相比,它们可以轻松移动到不同的...

    网络游戏专业术语中英文对照版.doc

    24. Creep Jacking - 混战偷袭:在其他玩家与怪物战斗时对其进行攻击。 25. Critters - 不会反击的怪物:面对玩家攻击不会反抗的非敌对生物。 26. DD (Direct Damage) - 直接伤害:一次性造成的伤害。 27. DBUFF (De...

    MJS工法专项施工组织方案.doc

    MJS工法,全称为Micro-piling Jacking System(微桩顶推系统)工法,是一种适用于城市地下工程建设的深基础施工技术,尤其在地铁、隧道、桥梁等复杂地质环境下的换乘通道建设中广泛应用。本方案详细阐述了在某南路站...

Global site tag (gtag.js) - Google Analytics