网络钓鱼和 CSS 立场:绝对

发布于 2024-10-19 00:19:18 字数 79 浏览 6 评论 0原文

CSS position:absolute 规则实际上如何帮助网络钓鱼?

有人可以帮我吗,我很困惑:(

How CSS position:absolute rule actually helps phishing?

Can someone help me out, I'm confused :(

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

绳情 2024-10-26 00:19:18

此处查找名为“覆盖页面内容”的部分。

与其说绝对定位“帮助”网络钓鱼,不如说汽车“帮助”醉酒驾驶。但它是一个可用于恶意目的的工具。

例如,假设您正在运行一个网站,用户可以登录并发表评论。还假设您没有正确清理输入和输出,并且用户确定他可以随心所欲地发布纯 HTML 内容。他决定制作一个帖子,其中包含一个绝对定位的 div,它完全相同地模仿您的登录表单,并位于其顶部,遮盖您的表单。他的新表单将登录凭据发布到他的网站而不是您的网站,并将用户重定向回您的页面。

用户在不怀疑任何事情发生变化的情况下输入他们的登录凭据。他们再次看到相同的页面。也许他们会再试一次,也许他们会点击“忘记密码”,也许他们会放弃,等等。无论哪种方式,他现在都拥有了他们的登录凭据。您的任何用户是否使用与登录电子邮件相同的凭据在您的网站上注册?他们的雇主?他们的银行?

基本上,不安全的网站和一些精心设计的绝对定位内容的结合损害了用户。

Look for a section called "Overriding Page Content" here.

It's not so much that absolute positioning "helps" phishing, not any more than cars "help" drunk driving. But it is a tool that can be used for malicious purposes.

For example, say you're running a website where users can login and post comments. Say also that you don't properly sanitize your input and output and a user determines that he can post pure HTML content to his heart's content. He decides to craft a post which includes an absolute-positioned div which mimics your login form identically and is positioned on top of it, obscuring your form. His new form posts the login credentials to his site instead of yours, and redirects the users back to your page.

The users, not suspecting anything has changed, enter their login credentials. They're presented with the same page again. Maybe they try again, maybe they click on "forgot password," maybe they give up, etc. Either way, he now has their login credentials. Did any of your users register on your site with the same credentials they use to login to their email? Their employer? Their bank?

Basically, the combination of an insecure website and some crafted absolutely-positioned content compromised the users.

静若繁花 2024-10-26 00:19:18

网络钓鱼的要点是通过欺骗用户我们是合法的/xss等来提取信息。

绝对位置允许您突破位置并做所有事情,想想您将如何使用它来欺骗用户。

规则本身并不是坏事,也不是罪魁祸首,而是网站和用户本身的安全。

我没有给你答案,但如果你不懒的话,你会自己在这里找到答案

the point of phishing is extracting information by fooling the user that we are legit / xss etc.

position absolute allows you to break out of the position and do everything, think how you would use that to fool the user.

the rule itself is not bad or to blame but the security of sites and users themselves.

i didnt give you an answer but if youre not lazy youll find it here yourself

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文