0X00 简介

什么是clickjacking ? 能干什么坏事 ?

首先我们来了解什么是clickjacking ,建个页面为index.html

  <meta http-equiv="Content-Type" content="text/html;charset=utf8">
  bottom: 35;
  position: absolute;
  margin-left: 130px;
function fun(){
  alert("just for fun");
<div><a href="" onclick="fun();">QQ网址</a></div>
<iframe src="" width="500px" scrolling="no" style="opacity: 0;position: absolute;left: 10;bottom: 10;"></iframe>

上面的代码是实现点击劫持 这个链接,使它访问 这就是个例子,当面我这个简单的例子会被发现,但是按钮劫持会更有效果的

0X01 了解HTTP Header


X-Frame-Options : ALLOW-FROM uri 允许指定的哪些URL 嵌入该页面

X-Frame-Options : SAMEORIGIN 允许同源的网站

X-Frame-Options : DENY 禁止所有的网站 嵌入该页面


Field name Description Example
Strict-Transport-Security Enforces   secure (HTTP over SSL/TLS) connections to the server. This reduces impact of   bugs in web applications leaking session data through cookies and external   links. Strict-Transport-Security:   max-age=16070400; includeSubDomains
X-Frame-Options , Frame-Options Clickjacking protection. Values: deny   – no rendering within a frame, sameorigin   – no rendering if origin mismatch, allow-from:   URL – allow rendering frame if loaded from URL X-Frame-Options:   deny
X-XSS-Protection This   header enables Cross-site   scripting (XSS) filter built into most recent web browsers.   It’s usually enabled by default anyway, so role of this headers is to   re-enable for this particular website if it was disabled by the user. X-XSS-Protection:   1; mode=block
X-Content-Type-Options The   only defined value, “nosniff”, prevents Internet Explorer and   Google Chrom from MIME-sniffing a response away from the declared content-type.   This also applies to Google Chrome ,   when downloading extensions. This reduces exposure to drive-by download   attacks and sites serving user uploaded content that, by clever naming, could   be treated by MSIE as executable or dynamic HTML files. X-Content-Type-Options:   nosniff
X-Content-Security-Policy,   X-WebKit-CSP Content Security   Policy definition. Requires careful tuning and   precise definition of the policy. If enabled CSP has significant impact on   the way browser renders pages (e.g. inline JavaScript disabled by default and   must be explicitly allowed in policy). CSP prevents a wide range of attacks,   including Cross-site   Scripting and other cross-site injections. X-WebKit-CSP:   default-src ‘self’


0×02 设置 HTTP Header 防御clickjacking

Apache 服务器配置 header

我是用wamp 一键安装环境的,在配置文件httpd.conf中进行以下修改

首先看你的 是否开启了,开启就把前面的#去掉即可

LoadModule headers_module modules/


<IfModule headers_module>
Header always append X-Frame-Options SAMEORIGIN


<IfModule headers_module>
header add X-Frame-Options SAMEORIGIN
header add X-XSS-Protection 1;mode=block

Nginx 服务器配置 header

add_header X-Frame-Options SAMEORIGIN;


Feature Chrome Firefox (Gecko) Internet Explorer Opera Safari
Basic   support 3.6.9   ( 8.0 10.5 4.0


0X03 js防御 clickjacking代码

<style id="antiClickjack">body{display:none !important;}</style>
if (self == top) {
var theBody = document.getElementsByTagName('body')[0]; = "block";
} else {
top.location = self.location;




电子邮件地址不会被公开。 必填项已用*标注