In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-09-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)06/03 Report--
This article mainly introduces the example analysis of interface operation hijacking and HTML5 security, the article is very detailed, has a certain reference value, interested friends must read it!
1. Interface operation hijacking
1) ClickJacking
ClickJacking click hijacking, which is a kind of visual deception.
The attacker uses a transparent, invisible iframe to overwrite a location on the web page to induce the user to click iframe.
2) TapJacking
Now the utilization rate of mobile devices is getting higher and higher, according to the characteristics of mobile devices, derived from the TapJacking (touch screen hijacking).
The scope of the screen on the mobile phone is limited, and the mobile browser can hide the address bar in order to save space, so the visual deception on the mobile phone will be easier to implement.
1. The browser address bar is displayed at the top of the first picture, and the attacker draws a fake address bar on the page
two。 The real browser address bar in the second picture has been automatically hidden, leaving only a fake address bar on the page.
3. In the third picture, the browser address bar is normally hidden.
This visual attack can be used for fishing and fraud.
3) X-Frame-Options
In view of the traditional interface hijacking, we prevent it by prohibiting iframe.
There is a response header X-Frame-Options in the HTTP header, and there are three values to choose from:
1. DENY: this page does not allow any iframe pages to be loaded.
2. SAMEORIGIN: this page can load the iframe page of the same domain name.
3. ALLOW-FROM uri: this page can load an iframe page from a specified source.
II. HTML5 security
Some new tags and attributes in HTML5 make new changes in Web attacks such as XSS, which are summarized in HTML5 Security Cheatsheet.
1) hide URL malicious code
In reflective XSS, malicious code is written in the URL parameter, so that users can also see malicious code, such as the following link:
Http://www.csrf.net/csrf.html?id=111
You can manipulate the browser history through window.history.
PushState () takes three parameters: the status object, the title, and the optional URL address.
History.pushState ({}, ", location.href.split ('?') .shift ())
The parameters are hidden after the above code is executed.
The new URL address is as follows:
PushState can also falsify browser history.
For (iTuno; I
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
The market share of Chrome browser on the desktop has exceeded 70%, and users are complaining about
The world's first 2nm mobile chip: Samsung Exynos 2600 is ready for mass production.According to a r
A US federal judge has ruled that Google can keep its Chrome browser, but it will be prohibited from
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
About us Contact us Product review car news thenatureplanet
More Form oMedia: AutoTimes. Bestcoffee. SL News. Jarebook. Coffee Hunters. Sundaily. Modezone. NNB. Coffee. Game News. FrontStreet. GGAMEN
© 2024 shulou.com SLNews company. All rights reserved.