Clickjacking的那些事

0X00 简介

什么是clickjacking ? 能干什么坏事 ?

首先我们来了解什么是clickjacking ,建个页面为index.html

<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=utf8">
  </head>
  <body>
<style>
div{
  left:10;
  bottom: 35;
  position: absolute;
  margin-left: 130px;
}
 
</style>
 
<script>
function fun(){
  alert("just for fun");
}
</script>
 
<div><a href="http://www.qq.com" onclick="fun();">QQ网址</a></div>
<iframe src="http://www.baidu.com" width="500px" scrolling="no" style="opacity: 0;position: absolute;left: 10;bottom: 10;"></iframe>
</body>
</html>

上面的代码是实现点击劫持www.qq.com 这个链接,使它访问news.baidu.com 这就是个例子,当面我这个简单的例子会被发现,但是按钮劫持会更有效果的

0X01 了解HTTP Header

先说下X-Frame-Options

X-Frame-Options : ALLOW-FROM uri 允许指定的哪些URL 嵌入该页面

X-Frame-Options : SAMEORIGIN 允许同源的网站

X-Frame-Options : DENY 禁止所有的网站 嵌入该页面

以下是视自己业务的安全情况,进行设置的

Field name Description Example
Strict-Transport-Security Enforces   secure (HTTP over SSL/TLS) connections to the server. This reduces impact of   bugs in web applications leaking session data through cookies and external   links. Strict-Transport-Security:   max-age=16070400; includeSubDomains
X-Frame-Options , Frame-Options Clickjacking protection. Values: deny   – no rendering within a frame, sameorigin   – no rendering if origin mismatch, allow-from:   URL – allow rendering frame if loaded from URL X-Frame-Options:   deny
X-XSS-Protection This   header enables Cross-site   scripting (XSS) filter built into most recent web browsers.   It’s usually enabled by default anyway, so role of this headers is to   re-enable for this particular website if it was disabled by the user. X-XSS-Protection:   1; mode=block
X-Content-Type-Options The   only defined value, “nosniff”, prevents Internet Explorer and   Google Chrom from MIME-sniffing a response away from the declared content-type.   This also applies to Google Chrome ,   when downloading extensions. This reduces exposure to drive-by download   attacks and sites serving user uploaded content that, by clever naming, could   be treated by MSIE as executable or dynamic HTML files. X-Content-Type-Options:   nosniff
X-Content-Security-Policy,   X-WebKit-CSP Content Security   Policy definition. Requires careful tuning and   precise definition of the policy. If enabled CSP has significant impact on   the way browser renders pages (e.g. inline JavaScript disabled by default and   must be explicitly allowed in policy). CSP prevents a wide range of attacks,   including Cross-site   Scripting and other cross-site injections. X-WebKit-CSP:   default-src ‘self’

 

0×02 设置 HTTP Header 防御clickjacking

Apache 服务器配置 header

我是用wamp 一键安装环境的,在配置文件httpd.conf中进行以下修改

首先看你的mod_headers.so 是否开启了,开启就把前面的#去掉即可

LoadModule headers_module modules/mod_headers.so

然后在添加

 
<IfModule headers_module>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>

或者

 
<IfModule headers_module>
header add X-Frame-Options SAMEORIGIN
header add X-XSS-Protection 1;mode=block
</IfModule>

Nginx 服务器配置 header

add_header X-Frame-Options SAMEORIGIN;

上面这些适合浏览器版本

Feature Chrome Firefox (Gecko) Internet Explorer Opera Safari
Basic   support 4.1.249.1042 3.6.9   (1.9.2.9) 8.0 10.5 4.0

对于浏览器版本低下的浏览器,这需要自己定义的代码来防御clickjacking

0X03 js防御 clickjacking代码

<style id="antiClickjack">body{display:none !important;}</style>
<script>
if (self == top) {
var theBody = document.getElementsByTagName('body')[0];
theBody.style.display = "block";
} else {
top.location = self.location;
}
</script>

腾讯微博也就是用这类似方法防御的,当iframe腾讯微博页面时,顶级页面会被重定向到腾讯微博里面去。

Clickjacking的那些事》上有1条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注