点击劫持 ppt_点击劫持

点击劫持 ppt

JavaScript security is a big business and for all of the right reasons.  JavaScript lets us do incredible things on the front end but some of those incredible things are for eval evil.  Spyjax used to be one of those evil things but browsers seem to have figured that out.  One technique I've seen lately is clickjacking -- presenting a link as one URL but then changing the URL quickly to trick the user.  Let me show you what I've seen.

出于所有正确的原因，JavaScript安全是一项大业务。 JavaScript使我们可以在前端做一些不可思议的事情，但是其中一些不可思议的事情是为了 评估 邪恶。 Spyjax曾经是这些邪恶的事物之一，但是浏览器似乎已经意识到了这一点。 我最近看到的一种技术是点击劫持-将链接显示为一个URL，然后Swift更改URL来欺骗用户。 让我告诉你我所看到的。

When visiting CNBC, I would occasionally command+click a link to a post to open it in a new window, but Google Chrome would refuse via the popup blocker.  That confused me -- I'm triggering a "native" action, why is the popup blocker hassling me?  Because CNBC was being gangsta:

访问CNBC时，我偶尔会命令并单击指向帖子的链接以在新窗口中打开它，但是Google Chrome浏览器会通过弹出窗口阻止程序拒绝。 这让我感到困惑-我正在触发“本机”操作，为什么弹出窗口阻止程序会困扰我？ 由于CNBC是黑帮，因此：

<a href="/some-url" onmousedown="this.href='/some-other-url';">Misleading Link Title</a>

The href was set to one URL but JavaScript dynamically changed the href to the "bad" address upon mousedown, thus changing the destination before the use knew it.  This is an incredibly shady practice with only one possible purpose: gaming the user and possibly even search engines.

href设置为一个URL，但是JavaScript会在鼠标按下时动态地将href更改为“坏”地址，从而在使用者知道它之前就更改了目的地。 这是一种极其阴暗的做法，只有一个可能的目的：游戏用户，甚至可能搜索引擎。

It's impressive that Chrome detected CNBC's technique and blocked the click. Clickjacking could become a serious issue and I've lost a lot of trust in CNBC.  If you're participating in this practice, it may be best to stop -- the browsers are on to you.

令人印象深刻的是，Chrome浏览器检测到CNBC的技术并阻止了点击。 点击劫持可能成为一个严重的问题，我对CNBC失去了很多信任。 如果您正在参与此实践，则最好停止操作-浏览器已启动。

翻译自: https://davidwalsh.name/clickjacking

点击劫持 ppt