- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Bypassing Protections
Clickjacking isn’t possible when the site implements the proper protections. If a modern browser displays an X-Frame-Options protected page, chances are you can’t exploit clickjacking on the page, and you’ll have to find another vulnerability, such as XSS or CSRF, to achieve the same results. Sometimes, however, the page won’t show up in your test iframe even though it lacks the headers that prevent clickjacking. If the website itself fails to implement complete clickjacking protections, you might be able to bypass the mitigations.
如果网站实施了适当的保护措施,则无法进行点击劫持。如果现代浏览器显示与 X-Frame-Options 受保护的页面,则很有可能无法在该页面上利用点击劫持,并且您将不得不寻找另一个漏洞(例如 XSS 或 CSRF)来实现相同的结果。然而,有时即使缺少防止点击劫持的标头,页面也不会显示在您的测试 iframe 中。如果网站本身未能实施完整的点击劫持保护,则您可能能够绕开缓解措施。
Here’s an example of what you can try if the website uses frame-busting techniques instead of HTTP response headers and SameSite cookies: find a loophole in the frame-busting code. For instance, developers commonly make the mistake of comparing only the top frame to the current frame when trying to detect whether the protected page is framed by a malicious page. If the top frame has the same origin as the framed page, developers may allow it, because they deem the framing site’s domain to be safe. Essentially, the protection’s code has this structure:
以下是一个示例,您可以尝试此方法,如果网站采用的是框架防护技术而不是 HTTP 响应头和 SameSite cookie:查找框架防护代码中的漏洞。例如,开发人员通常会犯一个错误,只比较当前页面的顶部框架,以检测所保护的页面是否被恶意页面包围。如果顶部框架与被包含页面具有相同的来源,开发人员可能会允许它,因为他们认为框架站点的域是安全的。本质上,保护的代码具有以下结构:“
if (top.location == self.location){
// Allow framing.
}
else{
// Disallow framing.
}If that is the case, search for a location on the victim site that allows you to embed custom iframes. For example, many social media sites allows users to share links on their profile. These features often work by embedding the URL in an iframe to display information and a thumbnail of the link. Other common features that require custom iframes are those that allow you to embed videos, audio, images, and custom advertisements and web page builders.
如果是这样的话,请在受害者网站上寻找一个允许你嵌入自定义 iframe 的位置。例如,许多社交媒体网站允许用户在个人资料中分享链接。这些功能通常是通过嵌入 URL 来显示链接信息和缩略图的 iframe 实现的。其他常见的需要自定义 iframe 的功能包括允许你嵌入视频、音频、图片、自定义广告和网页建设者。
If you find one of these features, you might be able to bypass clickjacking protection by using the double iframe trick . This trick works by framing your malicious page within a page in the victim’s domain. First, construct a page that frames the victim’s targeted functionality. Then place the entire page in an iframe hosted by the victim site ( Figure 8-6 ).
如果您发现其中一种功能,您可能可以通过使用双重 iframe 技巧绕过点击劫持保护。这个技巧的工作原理是,在受害者的域名中将您的恶意页面放在一个页面中。首先,构建一个包含受害者目标功能的页面。然后将整个页面放置在受害者站点托管的 iframe 中(图 8-6)。
Figure 8-6 : You can try to place your site in an iframe hosted by the victim site to bypass improper frame checking.
图 8-6:您可以尝试将您的站点放置在受害者站点托管的 iframe 中,以绕过不当的框架检查。
This way, both top.location and self.location point to victim.com . The frame-busting code would determine that the innermost victim.com page is framed by another victim.com page within its domain, and therefore deem the framing safe. The intermediary attacker page would go undetected.
这样,top.location 和 self.location 都指向 victim.com。防框架代码将确定最内层的 victim.com 页面被同一域中的另一个 victim.com 页面框架化,因此将视该框架化为安全的。中间人攻击页面将不被检测到。
Always ask yourself if the developer may have missed any edge cases while implementing protection mechanisms. Can you exploit these edge cases to your advantage?
始终问自己,开发人员在实施保护机制时是否可能错过了任何边缘情况。你能利用这些边缘情况获得优势吗?
Let’s take a look at an example report. Periscope is a live streaming video application, and on July 10, 2019, it was found to be vulnerable to a clickjacking vulnerability. You can find the disclosed bug report at https://hackerone.com/reports/591432/ . The site was using the X-Frame-Options ALLOW-FROM directive to prevent clickjacking. This directive lets pages specify the URLs that are allowed to frame it, but it’s an obsolete directive that isn’t supported by many browsers. This means that all features on the subdomains https://canary-web.pscp.tv and https://canary-web.periscope.tv were vulnerable to clickjacking if the victim was using a browser that didn’t support the directive, such as the latest Chrome, Firefox, and Safari browsers. Since Periscope’s account settings page allows users to deactivate their accounts, an attacker could, for example, frame the settings page and trick users into deactivating their accounts.
让我们看一个示例报告。Periscope 是一个实时流媒体视频应用,在 2019 年 7 月 10 日发现它存在点击劫持漏洞。您可以在 https://hackerone.com/reports/591432/上找到公开的漏洞报告。该站点使用的 X-Frame-Options ALLOW-FROM 指令来防止点击劫持。这个指令允许页面指定允许它使用框架的 URL,但这是一个过时的指令,许多浏览器不支持。这意味着如果受害者使用不支持该指令的浏览器(如最新的 Chrome、Firefox 和 Safari 浏览器),那么在 https://canary-web.pscp.tv 和 https://canary-web.periscope.tv 子域名上的所有功能都容易受到点击劫持攻击。由于 Periscope 的帐户设置页面允许用户停用他们的帐户,攻击者可以例如框架设置页面并骗取用户停用帐户。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论