这次大漏洞爆发,百度,淘宝,新浪,QQ,各大门户,几多网站都中招了。
忙乎了几天了。管理员该修补的,都修补完了。该拖的网站的源码和库也拖啦;
于是一些网站联盟,搜索引擎,垃圾邮件,各种辛苦升级的反作弊机制又赤裸裸的暴露出来了,接下来会有很多神奇的技术研究和创造。
(装逼图片来源互联网,PS,伪装,如果雷同,纯属巧合,不承担任何法律责任)
查阅不到X-Frame-Options 绕过的资料,国内貌似没有啥研究。只是某写联盟,都偷偷的加入了这个功能。
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
(翻译: X-Frame-Options HTTP请求头可以配置是否通过iframe访问到你的页面,网站可以使用这个来避免被攻击,确保其内容不被嵌入到其他网站中. )
使用 X-Frame-Options
X-Frame-Options 有三个值:
X-Frame-Options:DENY
完全禁止任何iframe请求,表示该页面不允许在 frame 中展示,即便是在相同域名的页面中嵌套也不允许。
X-Frame-Options:SAMEORIGIN
表示该页面可以在相同域名页面的 frame 中展示。例如 http://26836659.blogcn.com/
X-Frame-Options:ALLOW-FROM http://26836659.blogcn.com/
表示该页面可以在指定来源的 frame 中展示。
换一句话说,如果设置为 DENY,不光在别人的网站 frame 嵌入时会无法加载,在同域名页面中同样会无法加载。另一方面,如果设置为 SAMEORIGIN,那么页面就可以在同域名页面的 frame 中嵌套。
在PHP中, header(“X-Frame-Options: DENY”); 就可以调用。或者
<meta http-equiv="X-FRAME-OPTIONS" content="SAMEORIGIN">
实际运作结果,我用DENY来作示范,test.php是目标网页,已经宣告X-Frame-Options: DENY,iframe.php则是要嵌入iframe的网页,会发现嵌入后test.php回传http 200,但是因为有宣告X-Frame-Options,所以回传是空白的,而直接浏览test.php时则是显示hello world。
参考资料。http://www.enhanceie.com/test/clickjack/
| <script> | |
| document.domain = “enhanceie.com”; | |
| </script> | |
| </head> | |
| <body> | |
| 这里的一些例子 | |
| <a href=”http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx“>the X-Frame-Options | |
| directive</a>.<br/> | |
| <hr/> | |
| DENY 开启的时候,iframe是不显示的.<br /> | |
| <iframe src=”http://www.enhanceie.com/test/ClickJack/vicDeny.asp” style=”width: 535px; height: 250px”></iframe><br/> | |
| <hr /> | |
| A CACHEABLE same-domain victim frame, which is configured to DENY ALL.<br /> | |
| <iframe src=”http://www.enhanceie.com/test/ClickJack/vicDenyCached.aspx” style=”width: 535px; height: 250px”></iframe><br/> | |
| <hr/> | |
| A same-domain victim frame, which is configured to DENY ALL using a META tag (Use of the directive in META is deliberately unsupported).<font color=”red”>参考第5个 | |
| </font><br /> | |
| <br /> | |
| <iframe src=”http://www.enhanceie.com/test/ClickJack/vicDenyMeta.asp” style=”width: 535px; height: 250px”></iframe><br/> | |
| <hr/> | |
| 用 OBJECT tag, 在 DENY 下也不能使用.<br /> | |
| <object style=”width:535px; height:250px” type=”text/html” data=”http://www.enhanceie.com/test/ClickJack/vicDeny.asp”></object><br/> | |
| <hr/> | |
| A same-domain frame which is configured to ALLOW same-origin hosts. <font color=”red”>This is the 2nd of | |
| 5 that should be permitted on this page.</font><br /> | |
| <iframe src=”http://www.enhanceie.com/test/ClickJack/vicSame.asp” style=”width: 535px; height: 250px”></iframe><br/> | |
| <hr/> | |
| A same-domain SECURITY=RESTRICTED frame which is configured to ALLOW same-origin hosts. <font color=”red”>This is the | |
| 3rd of 5 that should be permitted on this page.</font><br /> | |
| <iframe src=”http://www.enhanceie.com/test/ClickJack/vicSame.asp” SECURITY=”restricted” style=”width: 535px; height: 250px”></iframe><br/> | |
| <hr/> | |
| A same-domain victim OBJECT tag, which is configured to ALLOW same-origin hosts. <font color=”red”>This is the | |
| 4th of | |
| 5 that should be permitted on this page.</font><br /> | |
| <object style=”width:535px; height:250px” type=”text/html” data=”http://www.enhanceie.com/test/ClickJack/vicSame.asp”></object><br/> | |
| <hr/> | |
| A cross-origin victim IFRAME, which is configured to ALLOW-FROM this origin. <font color=”red”>This is the | |
| 5th of 5 that should be permitted on this page.</font><br /> | |
| <iframe style=”width:535px; height:250px” src=”http://www.ericlawrence.com/test/ClickJack/vicAllowFrom.asp“></iframe><br/> | |
| <hr/> | |
| A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only (Blocked because the specified Allow-From origin does not match outermost page)<br /> | |
| <iframe style=”width:535px; height:250px” src=”http://www.enhanceie.com/test/ClickJack/vicAllowFromOther.asp“></iframe><br/> | |
| <hr/> | |
| A parent-domain frame which is configured to ALLOW same-origin hosts. (Blocked because document.domain deliberately ignored.)<br /> | |
| <iframe src=”http://enhanceie.com/test/ClickJack/vicSame.asp” style=”width: 535px; height: 250px”></iframe><br/> | |
| <hr/> | |
| A peer-domain frame which is configured to ALLOW same-origin hosts. (Blocked because entire FQDN is compared)<br /> | |
| <iframe src=”http://www2.enhanceie.com/test/ClickJack/vicSame.asp” style=”width: 535px; height: 250px”></iframe><br/> | |
| <hr/> | |
| An x-domain victim frame:<br /> | |
| <iframe src=”http://www.ericlawrence.com/test/ClickJack/victim.asp” style=”width: 535px; height: 250px”></iframe><br/> | |
| <hr/> | |
| An x-domain victim frame, with SECURITY=RESTRICTED to prevent script from running:<br /> | |
| <iframe security=”restricted” src=”http://www.ericlawrence.com/test/ClickJack/victim.asp” style=”width: 535px; height: 250px”></iframe><br/> | |
可以看到。X-Frame-Options 秒杀了以下的形式。http://www.ietf.org/rfc/rfc7034.txt
o IFRAME tago Frame tago Object tag (requires a redirect)o Applet tago Embed tag
查阅了
浏览器安全策略说之内容安全策略CSP
http://drops.wooyun.org/tips/1439
他的过滤机制秒杀了X-Frame-Options 几条街。接来下的事情,比较一下。在他没过滤的地方来突破了。
child-srcconnect-srcfont-srcimg-srcmanifest-srcmedia-srcobject-srcscript-srcstyle-srccontent-src:限制连接的类型(例如XHR、WebSockets和EventSource)font-src:控制网络字体的来源。例如可以通过font-src https://themes.googleusercontent.com来使用Google的网络字体。frame-src:列出了可以嵌入的frame的来源。例如frame-src https://youtube.com只允许嵌入YouTube的视频。。img-src:定义了可加载图像的来源。media-src:限制视频和音频的来源。object-src:限制Flash和其他插件的来源。style-src:类似于Script-src,只是作用于css文件。source src
在线CSP编写,可以协助和帮助网站管理员编写出适合自己站点的CSP。http://cspisawesome.com/
就写到这里了。以后在来类似的文章了。
没有评论:
发表评论