Detailed graphic explanation of interface operation hijacking and HTML5 security

1. Interface operation hijacking

1) ClickJacking

ClickJacking click hijacking, which is a kind of visual deception.

The attacker uses a transparent and invisible iframe to cover a certain location on the web page to induce users to click on the iframe.

##2) TapJacking

Now the usage of mobile devices is increasing According to the characteristics of mobile devices, TapJacking (touch screen hijacking) is derived.

The screen range on mobile phones is limited. In order to save space, mobile browsers can hide the address bar, making visual deception on mobile phones easier to implement.

1. The browser address bar is displayed at the top of the first picture, and the attacker drew a fake address bar on the page;

2. In the second picture, the real browser address bar has been automatically hidden, and now only the fake address bar is left on the page;

3. In the third picture, the browser address bar is normally hidden. Case.

This visual attack can be exploited for phishing and fraud.

3) X-Frame-Options

For traditional interface hijacking, prevent iframes by prohibiting them.

There is a response header

X-Frame-Options in the HTTP header. There are three values ​​to choose from:

1. DENY: This page

Do not allow to load any iframe pages.

2. SAMEORIGIN: This page can load iframe pages with the

same domain name.

3. ALLOW-FROM uri: This page can load the iframe page from the

specified source.

2. HTML5 Security

New tags and attributes in HTML5 have brought about new changes in web attacks such as XSS. These changes are summarized in HTML5 Security Cheatsheet.

1) Hide URL malicious code

In reflected XSS, malicious code will be written in the URL parameters , in this case, users can also see malicious code, such as the following link:

http://www.csrf.net/csrf.html?id=<script>111</script>

You can operate the

browser history through window.history.

pushState() has three parameters: StateObject, title, and optional URL address.

history.pushState({},"", location.href.split('?').shift());

After executing the above code, the parameters will be

hidden.

The new URL address is the following:

Browser History.

for(i=0; i<10; i++)
    history.pushState({},"", "/"+i+".html");

2) Botnet under HTML5Botnet refers to a large number of Specific malicious programs are implanted into computers, allowing controllers to directly send instructions to other computers through several computers to conduct network attacks.

Botnets based on the Web front-end can be used as DDOS attacks, involving

Web Worker technology and CORS processing mechanism, and then spread through Web worms. Web Worker is a multi-threaded mechanism that can execute malicious

JS

code asynchronously without affecting the user's normal operation in the browser. The CORS processing mechanism works at the browser level. If the server does not allow cross-site, the browser will intercept the results returned by the server, which means that the server will respond normally to cross-domain requests.

那么就可以事先写好一段异步请求的脚本（worker.js），然后通过Web Worker来执行这段脚本，不断的向目标服务器发起请求。

var worker_loc = 'worker.js';//封装了ajax请求的脚本
var target = ' 
//可实例化多个
Web Workervar workers = [];for (i = 0; i < 1; i++) {
      workers[i] = new Worker(worker_loc);
      workers[i].postMessage(target);//跨域消息传递}

The above is the detailed content of Detailed graphic explanation of interface operation hijacking and HTML5 security. For more information, please follow other related articles on the PHP Chinese website!