框架巴斯特巴斯特...需要巴斯特代码 [英] Frame Buster Buster ... buster code needed
问题描述
假设您不希望其他网站在< iframe>
中设置您的网站:
< iframe src =http://example.org>< / iframe>
因此,您需要在所有页面中插入反框架JavaScript代码:
/ *让我们摆脱任何包含iframe的内容* /
if(top!= self){top.location.replace(self.location .href); }
优秀!现在你可以自动破解或者分解任何包含iframe的内容。除了一个小问题。
事实证明,你的框架破坏代码可能被破坏,如下所示:
< script type =text / javascript>
var prevent_bust = 0
window.onbeforeunload = function(){prevent_bust ++}
setInterval(function(){
if(prevent_bust> 0){
prevent_bust - = 2
window.top.location ='http://example.org/page-which-responds-with-204'
}
},1)
< /脚本>
此代码执行以下操作:
窗口导航离开当前页面时,递增计数器.onbeforeunload
事件处理程序
setInterval()
设置一个每毫秒触发的定时器,如果它看到计数器递增,则将当前位置更改为攻击者控制的服务器
我的问题是 - 这更像是一个JavaScript谜题,而不是实际的问题 - 你怎么能打败框架破坏者?
我有一些想法,但是在我的测试中没有任何工作:
onbeforeunload = null
清除 onbeforeunload
事件无效
alert()
可以阻止进程让用户知道它正在发生,但不会以任何方式干扰代码;点击确定让破坏继续正常
setInterval()
定时器
我不是一个JavaScript程序员,所以这是我对您的挑战:嘿,克星,你可以打破框架破坏我不知道这是否可行 - 但如果你不能破解的话框架,为什么不只是显示警告。例如,如果您的页面不是首页,请创建一个试图打破框架的setInterval方法。如果在3或4次尝试后,你的页面仍然不是首页 - 创建一个div元素,覆盖整个页面(模态框),并带有一条消息和一个链接,如...
您正在未经授权的框架窗口中查看此页面 - (Blah等等...潜在的安全问题)
点击此链接解决这个问题
不是最好的,但我没有看到他们可以编写脚本的任何方式出路。
Let's say you don't want other sites to "frame" your site in an <iframe>
:
<iframe src="http://example.org"></iframe>
So you insert anti-framing, frame busting JavaScript into all your pages:
/* break us out of any containing iframes */
if (top != self) { top.location.replace(self.location.href); }
Excellent! Now you "bust" or break out of any containing iframe automatically. Except for one small problem.
As it turns out, your frame-busting code can be busted, as shown here:
<script type="text/javascript">
var prevent_bust = 0
window.onbeforeunload = function() { prevent_bust++ }
setInterval(function() {
if (prevent_bust > 0) {
prevent_bust -= 2
window.top.location = 'http://example.org/page-which-responds-with-204'
}
}, 1)
</script>
This code does the following:
- increments a counter every time the browser attempts to navigate away from the current page, via the
window.onbeforeunload
event handler - sets up a timer that fires every millisecond via
setInterval()
, and if it sees the counter incremented, changes the current location to a server of the attacker's control - that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere
My question is -- and this is more of a JavaScript puzzle than an actual problem -- how can you defeat the frame-busting buster?
I had a few thoughts, but nothing worked in my testing:
- attempting to clear the
onbeforeunload
event viaonbeforeunload = null
had no effect - adding an
alert()
stopped the process let the user know it was happening, but did not interfere with the code in any way; clicking OK lets the busting continue as normal - I can't think of any way to clear the
setInterval()
timer
I'm not much of a JavaScript programmer, so here's my challenge to you: hey buster, can you bust the frame-busting buster?
I'm not sure if this is viable or not - but if you can't break the frame, why not just display a warning. For example, If your page isn't the "top page" create a setInterval method that tries to break the frame. If after 3 or 4 tries your page still isn't the top page - create a div element that covers the whole page (modal box) with a message and a link like...
You are viewing this page in a unauthorized frame window - (Blah blah... potential security issue)
click this link to fix this problem
Not the best, but I don't see any way they could script their way out of that.
这篇关于框架巴斯特巴斯特...需要巴斯特代码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!