框架巴斯特巴斯特...需要巴斯特代码 [英] Frame Buster Buster ... buster code needed

问题描述

假设您不希望其他网站在< iframe> 中设置您的网站：

 < iframe src =http://example.org>< / iframe> 
  

因此，您需要在所有页面中插入反框架JavaScript代码：

  / *让我们摆脱任何包含iframe的内容* / 
 if（top！= self）{top.location.replace（self.location .href）; } 
  

优秀！现在你可以自动破解或者分解任何包含iframe的内容。除了一个小问题。

事实证明，你的框架破坏代码可能被破坏，如下所示：

 < script type =text / javascript> 
 var prevent_bust = 0 
 window.onbeforeunload = function（）{prevent_bust ++} 
 setInterval（function（）{
 if（prevent_bust> 0）{
 prevent_bust  - = 2 
 window.top.location ='http://example.org/page-which-responds-with-204'
} 
}，1）
< /脚本> 
  

此代码执行以下操作：

• 每当浏览器尝试通过窗口导航离开当前页面时，递增计数器.onbeforeunload 事件处理程序


• 通过 setInterval（）设置一个每毫秒触发的定时器，如果它看到计数器递增，则将当前位置更改为攻击者控制的服务器


• 该服务器提供带有HTTP状态码 204 的页面，该页面不会导致浏览器在任何地方导航

我的问题是 - 这更像是一个JavaScript谜题，而不是实际的问题 - 你怎么能打败框架破坏者？

我有一些想法，但是在我的测试中没有任何工作：

• 尝试通过 onbeforeunload = null 清除 onbeforeunload 事件无效


• 添加一个 alert（）可以阻止进程让用户知道它正在发生，但不会以任何方式干扰代码;点击确定让破坏继续正常


• 我想不出任何方法来清除 setInterval（）定时器
>

我不是一个JavaScript程序员，所以这是我对您的挑战：嘿，克星，你可以打破框架破坏我不知道这是否可行 - 但如果你不能破解的话框架，为什么不只是显示警告。例如，如果您的页面不是首页，请创建一个试图打破框架的setInterval方法。如果在3或4次尝试后，你的页面仍然不是首页 - 创建一个div元素，覆盖整个页面（模态框），并带有一条消息和一个链接，如...

您正在未经授权的框架窗口中查看此页面 - （Blah等等...潜在的安全问题）

点击此链接解决这个问题

不是最好的，但我没有看到他们可以编写脚本的任何方式出路。

Let's say you don't want other sites to "frame" your site in an <iframe>:

<iframe src="http://example.org"></iframe>

So you insert anti-framing, frame busting JavaScript into all your pages:

/* break us out of any containing iframes */
if (top != self) { top.location.replace(self.location.href); }

Excellent! Now you "bust" or break out of any containing iframe automatically. Except for one small problem.

As it turns out, your frame-busting code can be busted, as shown here:

<script type="text/javascript">
    var prevent_bust = 0  
    window.onbeforeunload = function() { prevent_bust++ }  
    setInterval(function() {  
      if (prevent_bust > 0) {  
        prevent_bust -= 2  
        window.top.location = 'http://example.org/page-which-responds-with-204'  
      }  
    }, 1)  
</script>

This code does the following:

• increments a counter every time the browser attempts to navigate away from the current page, via the window.onbeforeunload event handler
• sets up a timer that fires every millisecond via setInterval(), and if it sees the counter incremented, changes the current location to a server of the attacker's control
• that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere

My question is -- and this is more of a JavaScript puzzle than an actual problem -- how can you defeat the frame-busting buster?

I had a few thoughts, but nothing worked in my testing:

• attempting to clear the onbeforeunload event via onbeforeunload = null had no effect
• adding an alert() stopped the process let the user know it was happening, but did not interfere with the code in any way; clicking OK lets the busting continue as normal
• I can't think of any way to clear the setInterval() timer

I'm not much of a JavaScript programmer, so here's my challenge to you: hey buster, can you bust the frame-busting buster?

解决方案

I'm not sure if this is viable or not - but if you can't break the frame, why not just display a warning. For example, If your page isn't the "top page" create a setInterval method that tries to break the frame. If after 3 or 4 tries your page still isn't the top page - create a div element that covers the whole page (modal box) with a message and a link like...

You are viewing this page in a unauthorized frame window - (Blah blah... potential security issue)

click this link to fix this problem

Not the best, but I don't see any way they could script their way out of that.

这篇关于框架巴斯特巴斯特...需要巴斯特代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！