Clickmanacking如何以外行的方式传播？ [英] How does Clickjacking spread, in layman terms?

问题描述

我一直在阅读很多关于iframe和点击劫持的内容，但却无法找到我想要的信息。你可以帮我解决下面的问题吗？

I have been reading a lot regarding iframes and clickjacking, and was not able to find the information I am looking for. Can you help me out with below questions?

iframe点击劫持如何传播？我看过很多文章提到在本地机器上编辑html代码，同样他们可以通过添加一个隐形按钮来劫持用户点击。但是，这是用户本地机器上的修改逻辑。我有兴趣知道是否可以将相同的代码推送到云中并影响登录或使用该门户的每个用户？如果有，怎么样？

How does Iframe clickjacking spread? I have seen lot of articles which mentions editing of html code in the local machine and by the same they are able to hijack users click by adding an invisible button. But, this is a modified logic on a local machine of a user. I am interested in knowing is it possible to push this same code to the cloud and impact every user logging in or using that portal? If yes, how?

如果我在我的网站上启用Iframe选项，则存在安全风险，因为我的页面可以作为Iframe加载到其他人的网站中，并且可能会误用它。如果有任何安全数据，如果最终用户意外进入该网站，则数据被黑客入​​侵。这是一个安全问题因此总是建议不要允许Iframe，这是正确的吗？是否存在任何其他安全风险。

If I enable Iframe options on my website, it is a security risk because my page can be loaded as an Iframe in some one else's website and they can misuse it. And if there is any secured data, if end user is accidentally entering on that website, the data is hacked. This is a security concern so it is always recommended not to allow Iframe, is that correct? Are there any other security risk.

如果存在任何其他风险，请添加。

Please add if there are any other risks.

推荐答案

点击劫持不会蔓延。

字面意思是说 - 点击次数 - 仅此而已。但是，这些点击的后果可能非常严重。

It is literally as it is stated - jacking clicks - nothing more. However, the consequences of those clicks could be severe.

想象一下，你访问了一个网站， evil.example.org 。在另一个标签页中，您还会登录到您的银行， bank.example.com 。

Imagine you visit a site, evil.example.org. In another tab you are also logged into your bank, bank.example.com.

evil.example.org 还会在IFrame中加载 bank.example.com 。但是，它使用CSS使这个IFrame不可见。并且它不加载主页，它加载汇款页面，传递一些参数：

evil.example.org also loads bank.example.com in an IFrame. However, it uses CSS to make this IFrame invisible. And it does not load the home page, it loads the money transfer page, passing some parameters:

<iframe src="https://bank.example.com/loggedIn/transferMoney?toAccount=Bob&amount=100000"></iframe>

现在，此页面不会立即转账。它要求用户单击以确认转移给Bob。

Now, this page does not transfer the money immediately. It asks the user to click to confirm the transfer to Bob.

然而， evil.example.org 绘制一个确认转移按钮正下方的按钮说免费iPad点击此处。

However, evil.example.org draws a button right underneath the Confirm Transfer button saying Free iPad click here.

因为IFrame是不可见的，所以用户只看免费iPad点击这里。但是当他们点击时，浏览器会针对确认转移注册点击。

Because the IFrame is invisible, the user just sees Free iPad click here. But when they click, the browser registers the click against Confirm Transfer.

因为您在另一个标签中登录了银行网站，所以只是骗了你的钱。

Because you are logged into the bank site in another tab, Bob has just nicked your money.

请注意 X-Frame-Options 标头修复了您网站上的此漏洞，假设它已设置为 SAMEORIGIN 或 DENY 。在添加标头之前，您很容易受到攻击。 CSP中有一个名为 框架祖先的新指令 - 但是，只有最新的浏览器支持它，因此您最好在目前添加两个标头。这将为您提供Internet Explorer 8及更高版本以及Chrome，Firefox，Opera和Safari的保护。

Note that the X-Frame-Options header fixes this vulnerability on your site, assuming it is set to SAMEORIGIN or DENY. You are vulnerable until you add the header. There's a new directive in CSP called frame ancestors - however, only the latest browsers support it, so you're best off adding both headers at the moment. This will give you protection on Internet Explorer 8 and later, plus Chrome, Firefox, Opera and Safari.

防止框架还可以帮助阻止诸如跨站点历史记录操作。

Preventing framing can also help thwart over attacks such as Cross Site History Manipulation.

这篇关于Clickmanacking如何以外行的方式传播？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！