- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Hunting for Clickjacking
Find clickjacking vulnerabilities by looking for pages on the target site that contain sensitive state-changing actions and can be framed.
通过寻找包含敏感状态更改操作并可以被框架的目标网站页面,找到点击劫持漏洞。
Step 1: Look for State-Changing Actions
Clickjacking vulnerabilities are valuable only when the target page contains state-changing actions. You should look for pages that allow users to make changes to their accounts, like changing their account details or settings. Otherwise, even if an attacker can hijack user clicks, they can’t cause any damage to the website or the user’s account. That’s why you should start by spotting the state-changing actions on a site.
点击劫持漏洞只有在目标页面包含状态更改操作时才有价值。您应该寻找允许用户对其帐户进行更改的页面,如更改帐户详细信息或设置。否则,即使攻击者能够劫持用户的点击,也无法对网站或用户的帐户造成任何损害。这就是为什么您应该从网站上识别状态变化的操作开始的原因。
For example, let’s say you’re testing a subdomain of example.com that handles banking functionalities at bank.example.com . Go through all the functionalities of the web application, click all the links, and write down all the state-changing options, along with the URL of the pages they’re hosted on:
例如,假设您正在测试 example.com 的一个子域名,该子域名在 bank.example.com 上处理银行功能。浏览 Web 应用程序的所有功能,单击所有链接,并记录所有状态更改选项以及它们托管的页面的 URL。
State-changing requests on bank.example.com
bank.example.com 上的状态更改请求
- Change password: bank.example.com/password_change
- Transfer balance: bank.example.com/transfer_money
- Unlink external account: bank.example.com/unlink
You should also check that the action can be achieved via clicks alone. Clickjacking allows you to forge only a user’s clicks, not their keyboard actions. Attacks that require users to explicitly type in values are possible, but generally not feasible because they require so much social engineering. For example, on this banking page, if the application requires users to explicitly type the recipient account and transfer amount instead of loading them from a URL parameter, attacking it with clickjacking would not be feasible.
你还应该确认该操作是否仅可通过点击实现。点击劫持仅能伪造用户点击而非键盘操作。攻击需要用户明确输入数值的情况是可能的,但通常并不可行,因为需要大量的社会工程。例如,在这个银行页面上,如果应用程序要求用户明确输入收款人账户和转账金额,而非从 URL 参数中加载,使用点击劫持攻击将不可行。
Step 2: Check the Response Headers
Then go through each of the state-changing functionalities you’ve found and revisit the pages that contain them. Turn on your proxy and intercept the HTTP response that contains that web page. See if the page is being served with the X-Frame-Options or Content-Security-Policy header.
然后,逐个检查您发现的改变状态的功能,并重新访问包含它们的页面。开启代理,并拦截包含该网页的 HTTP 响应。查看页面是否使用 X-Frame-Options 或 Content-Security-Policy 报头提供服务。
If the page is served without any of these headers, it may be vulnerable to clickjacking. And if the state-changing action requires users to be logged in when it is executed, you should also check if the site uses SameSite cookies. If it does, you won’t be able to exploit a clickjacking attack on the site’s features that require authentication.
如果页面没有添加这些头信息,则有可能存在点击劫持漏洞。如果状态改变操作需要在用户登录时执行,请检查站点是否使用 SameSite Cookie。如果是,则无法滥用需要身份验证的站点功能的点击劫持攻击。
Although setting HTTP response headers is the best way to prevent these attacks, the website might have more obscure safeguards in place. For example, a technique called frame-busting uses JavaScript code to check if the page is in an iframe, and if it’s framed by a trusted site. Frame-busting is an unreliable way to protect against clickjacking. In fact, frame-busting techniques can often be bypassed, as I will demonstrate later in this chapter.
虽然设置 HTTP 响应头是防止这些攻击的最佳方法,但网站可能会有更隐蔽的保护措施。例如,一种名为"frame-busting"的技术使用 JavaScript 代码检查页面是否处于 iframe 中,并且是否被受信任的站点框架。"frame-busting"是一种不可靠的防止点击劫持的方式。实际上,"frame-busting"技术经常被绕过,就像我后面在本章将演示的那样。
You can confirm that a page is frameable by creating an HTML page that frames the target page. If the target page shows up in the frame, the page is frameable. This piece of HTML code is a good template:
通过创建一个包含目标页面的框架 HTML 页面,您可以确认该页面是否可嵌入。如果目标页面出现在框架中,则页面是可嵌入的。以下是一个不错的 HTML 代码模板:
<HTML>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Web page is vulnerable to clickjacking if the iframe is populated with the target page!</p>
<iframe src="URL_OF_TARGET_PAGE" width="500" height="500"></iframe>
</body>
</html>Step 3: Confirm the Vulnerability
Confirm the vulnerability by executing a clickjacking attack on your test account. You should try to execute the state-changing action through the framed page you just constructed and see if the action succeeds. If you can trigger the action via clicks alone through the iframe, the action is vulnerable to clickjacking.
通过在您的测试账户上执行“点击劫持”攻击来确认漏洞。您应该尝试通过刚刚构建的框架页面执行状态更改操作,并查看该操作是否成功。如果您可以仅通过 iframe 上的点击触发该操作,则该操作易受点击劫持攻击。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论