search
HomeWeb Front-endH5 TutorialDetailed graphic explanation of interface operation hijacking and HTML5 security

1. Interface operation hijacking

1) ClickJacking

ClickJacking click hijacking, which is a kind of visual deception.

The attacker uses a transparent and invisible iframe to cover a certain location on the web page to induce users to click on the iframe.

##2) TapJacking

Now the usage of mobile devices is increasing According to the characteristics of mobile devices, TapJacking (touch screen hijacking) is derived.

The screen range on mobile phones is limited. In order to save space, mobile browsers can hide the address bar, making visual deception on mobile phones easier to implement.

1. The browser address bar is displayed at the top of the first picture, and the attacker drew a fake address bar on the page;

2. In the second picture, the real browser address bar has been automatically hidden, and now only the fake address bar is left on the page;

3. In the third picture, the browser address bar is normally hidden. Case.

This visual attack can be exploited for phishing and fraud.

3) X-Frame-Options

For traditional interface hijacking, prevent iframes by prohibiting them.

There is a response header

X-Frame-Options in the HTTP header. There are three values ​​to choose from:

1. DENY: This page

Do not allow to load any iframe pages.

2. SAMEORIGIN: This page can load iframe pages with the

same domain name.

3. ALLOW-FROM uri: This page can load the iframe page from the

specified source.

2. HTML5 Security

New tags and attributes in HTML5 have brought about new changes in web attacks such as XSS. These changes are summarized in HTML5 Security Cheatsheet.

1) Hide URL malicious code

In reflected XSS, malicious code will be written in the URL parameters , in this case, users can also see malicious code, such as the following link:

http://www.csrf.net/csrf.html?id=<script>111</script>

You can operate the

browser history through window.history.

pushState() has three parameters: StateObject, title, and optional URL address.

history.pushState({},"", location.href.split(&#39;?&#39;).shift());

After executing the above code, the parameters will be

hidden.

The new URL address is the following:

Detailed graphic explanation of interface operation hijacking and HTML5 security

Browser History.

for(i=0; i<10; i++)
    history.pushState({},"", "/"+i+".html");

2) Botnet under HTML5Botnet refers to a large number of Specific malicious programs are implanted into computers, allowing controllers to directly send instructions to other computers through several computers to conduct network attacks.

Botnets based on the Web front-end can be used as DDOS attacks, involving

Web Worker technology and CORS processing mechanism, and then spread through Web worms. Web Worker is a multi-threaded mechanism that can execute malicious

JS

code asynchronously without affecting the user's normal operation in the browser. The CORS processing mechanism works at the browser level. If the server does not allow cross-site, the browser will intercept the results returned by the server, which means that the server will respond normally to cross-domain requests.

那么就可以事先写好一段异步请求的脚本(worker.js),然后通过Web Worker来执行这段脚本,不断的向目标服务器发起请求。

var worker_loc = &#39;worker.js&#39;;//封装了ajax请求的脚本
var target = &#39; 
//可实例化多个
Web Workervar workers = [];for (i = 0; i < 1; i++) {
      workers[i] = new Worker(worker_loc);
      workers[i].postMessage(target);//跨域消息传递}

The above is the detailed content of Detailed graphic explanation of interface operation hijacking and HTML5 security. For more information, please follow other related articles on the PHP Chinese website!

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
HTML5: The Standard and its Impact on Web DevelopmentHTML5: The Standard and its Impact on Web DevelopmentApr 27, 2025 am 12:12 AM

The core features of HTML5 include semantic tags, multimedia support, offline storage and local storage, and form enhancement. 1. Semantic tags such as, etc. to improve code readability and SEO effect. 2. Simplify multimedia embedding with labels. 3. Offline storage and local storage such as ApplicationCache and LocalStorage support network-free operation and data storage. 4. Form enhancement introduces new input types and verification properties to simplify processing and verification.

H5 Code Examples: Practical Applications and TutorialsH5 Code Examples: Practical Applications and TutorialsApr 25, 2025 am 12:10 AM

H5 provides a variety of new features and functions, greatly enhancing the capabilities of front-end development. 1. Multimedia support: embed media through and elements, no plug-ins are required. 2. Canvas: Use elements to dynamically render 2D graphics and animations. 3. Local storage: implement persistent data storage through localStorage and sessionStorage to improve user experience.

The Connection Between H5 and HTML5: Similarities and DifferencesThe Connection Between H5 and HTML5: Similarities and DifferencesApr 24, 2025 am 12:01 AM

H5 and HTML5 are different concepts: HTML5 is a version of HTML, containing new elements and APIs; H5 is a mobile application development framework based on HTML5. HTML5 parses and renders code through the browser, while H5 applications need to run containers and interact with native code through JavaScript.

The Building Blocks of H5 Code: Key Elements and Their PurposeThe Building Blocks of H5 Code: Key Elements and Their PurposeApr 23, 2025 am 12:09 AM

Key elements of HTML5 include,,,,,, etc., which are used to build modern web pages. 1. Define the head content, 2. Used to navigate the link, 3. Represent the content of independent articles, 4. Organize the page content, 5. Display the sidebar content, 6. Define the footer, these elements enhance the structure and functionality of the web page.

HTML5 and H5: Understanding the Common UsageHTML5 and H5: Understanding the Common UsageApr 22, 2025 am 12:01 AM

There is no difference between HTML5 and H5, which is the abbreviation of HTML5. 1.HTML5 is the fifth version of HTML, which enhances the multimedia and interactive functions of web pages. 2.H5 is often used to refer to HTML5-based mobile web pages or applications, and is suitable for various mobile devices.

HTML5: The Building Blocks of the Modern Web (H5)HTML5: The Building Blocks of the Modern Web (H5)Apr 21, 2025 am 12:05 AM

HTML5 is the latest version of the Hypertext Markup Language, standardized by W3C. HTML5 introduces new semantic tags, multimedia support and form enhancements, improving web structure, user experience and SEO effects. HTML5 introduces new semantic tags, such as, ,, etc., to make the web page structure clearer and the SEO effect better. HTML5 supports multimedia elements and no third-party plug-ins are required, improving user experience and loading speed. HTML5 enhances form functions and introduces new input types such as, etc., which improves user experience and form verification efficiency.

H5 Code: Writing Clean and Efficient HTML5H5 Code: Writing Clean and Efficient HTML5Apr 20, 2025 am 12:06 AM

How to write clean and efficient HTML5 code? The answer is to avoid common mistakes by semanticizing tags, structured code, performance optimization and avoiding common mistakes. 1. Use semantic tags such as, etc. to improve code readability and SEO effect. 2. Keep the code structured and readable, using appropriate indentation and comments. 3. Optimize performance by reducing unnecessary tags, using CDN and compressing code. 4. Avoid common mistakes, such as the tag not closed, and ensure the validity of the code.

H5: How It Enhances User Experience on the WebH5: How It Enhances User Experience on the WebApr 19, 2025 am 12:08 AM

H5 improves web user experience with multimedia support, offline storage and performance optimization. 1) Multimedia support: H5 and elements simplify development and improve user experience. 2) Offline storage: WebStorage and IndexedDB allow offline use to improve the experience. 3) Performance optimization: WebWorkers and elements optimize performance to reduce bandwidth consumption.

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

PhpStorm Mac version

PhpStorm Mac version

The latest (2018.2.1) professional PHP integrated development tool

MinGW - Minimalist GNU for Windows

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

EditPlus Chinese cracked version

EditPlus Chinese cracked version

Small size, syntax highlighting, does not support code prompt function

DVWA

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment