Clickjacking

•

2 recomendaciones•572 vistas

hackershow

以全台灣最大間的 BSP - 無名小站為例

Tecnología Diseño

怎麼樣的手法？我要強暴你的滑鼠在網站內的特定區塊上植入惡意的程式碼或 HTML 、 CSS 語法企圖改變網站原先應該呈現的內容，讓瀏覽者在不知情的情況下被導向到其他頁面或做不想做的事。

為何存在？目的為何？ ‧ 以為姜太空釣魚 ‧ 牧羊童去牧馬 ‧ 為了更多更多的資料 ‧ 景氣差拼現金我最愛 ‧ 無名正妹自拍視訊流出 ‧ 我家太陰了…沒人氣這個問題問的很好！

做菜，沒食材？去吃屎！主食材：一張透空的 GIF 圖片、無名小站帳號副食材： CSS 語法、你的大腦作法：看投影片。我們要用一種有點迂迴的手法來展示 Click jacking 的威力。

實作 Clickjacking(1) 先來利用影像處理軟體製作一張畫面透空的 GIF 圖片檔

實作 Clickjacking(2) 然後上傳圖片到你的無名相簿 ( 它真的有在畫面上！ )

實作 Clickjacking(3) 接著到你的無名網誌上發表一篇新文章插入剛上傳的透明圖片，並且幫它上一個連結 ( 看你想要讓瀏覽者被導向到哪裡去 )

實作 Clickjacking(4) 好，現在你的網誌上有一張透明的圖片存在了 ( 白框的就是透明圖片 )

實作 Clickjacking(5) 接下來，我們要利用 CSS 語法將這張圖片放到最大、將他放置在網頁最上方佔滿整個頁面，並且儲存該 CSS 語法註 1 ：讓 HTML 的所有元素可以放到最大註 2 ：將文章內的圖片元素，佔滿整個網頁

實作 Clickjacking( 完成 !) 儲存 CSS 語法後，回到網誌首頁。也許你目前看不出來有什麼異樣，但接下來你只要點到網頁上的任何一處，都會被帶到你所指定的頁面上！ ( 此時可以宣告你的滑鼠控制權完全被剝奪了。 )

這是一場攻與防的戰爭既然知道如何攻擊手法了，也要學著怎麼防守吧？ ( 假設您的網站 HTML 、 CSS 、外掛程式都必須提供給使用者使用 ) 除了搭配 HTML Filter ，還必須要利用 CSS 優先權的關係，另外製作一份 CSS 檔案讓網頁載入，讓惡意語法起不了作用。 ★★★★ CSS 、 HTML 語法混和攻擊實作 HTML Filter 建立標籤、屬性白名單，並且重構 HTML 語法。 ★★★☆ 透過變異的 HTML 語法進行攻擊嚴格審核 / 控管程式碼，只有審核通過的程式碼才能供使用者使用。至少出事的時候能找到作者負起責任。建議的解決方案 ★★ 透過 JavaScript, VBScript 等程式碼攻擊防守難度攻擊方式

我還有工作要做……因為想到 Schedule 就狂冒冷汗… 沒了 Author : 阿白 @HACKERSHOW MSN : [email_address] 為台灣資訊安全付出一點心力 2009/2/12

Más contenido relacionado

Destacado

Content Methodology: A Best Practices Report (Webinar)

contently

How to Prepare For a Successful Job Search for 2024

Albert Qian

A report by thenetworkone and Kurio. The contributing experts and agencies are (in an alphabetical order): Sylwia Rytel, Social Media Supervisor, 180heartbeats + JUNG v MATT (PL), Sharlene Jenner, Vice President - Director of Engagement Strategy, Abelson Taylor (USA), Alex Casanovas, Digital Director, Atrevia (ES), Dora Beilin, Senior Social Strategist, Barrett Hoffher (USA), Min Seo, Campaign Director, Brand New Agency (KR), Deshé M. Gully, Associate Strategist, Day One Agency (USA), Francesca Trevisan, Strategist, Different (IT), Trevor Crossman, CX and Digital Transformation Director; Olivia Hussey, Strategic Planner; Simi Srinarula, Social Media Manager, The Hallway (AUS), James Hebbert, Managing Director, Hylink (CN / UK), Mundy Álvarez, Planning Director; Pedro Rojas, Social Media Manager; Pancho González, CCO, Inbrax (CH), Oana Oprea, Head of Digital Planning, Jam Session Agency (RO), Amy Bottrill, Social Account Director, Launch (UK), Gaby Arriaga, Founder, Leonardo1452 (MX), Shantesh S Row, Creative Director, Liwa (UAE), Rajesh Mehta, Chief Strategy Officer; Dhruv Gaur, Digital Planning Lead; Leonie Mergulhao, Account Supervisor - Social Media & PR, Medulla (IN), Aurelija Plioplytė, Head of Digital & Social, Not Perfect (LI), Daiana Khaidargaliyeva, Account Manager, Osaka Labs (UK / USA), Stefanie Söhnchen, Vice President Digital, PIABO Communications (DE), Elisabeth Winiartati, Managing Consultant, Head of Global Integrated Communications; Lydia Aprina, Account Manager, Integrated Marketing and Communications; Nita Prabowo, Account Manager, Integrated Marketing and Communications; Okhi, Web Developer, PNTR Group (ID), Kei Obusan, Insights Director; Daffi Ranandi, Insights Manager, Radarr (SG), Gautam Reghunath, Co-founder & CEO, Talented (IN), Donagh Humphreys, Head of Social and Digital Innovation, THINKHOUSE (IRE), Sarah Yim, Strategy Director, Zulu Alpha Kilo (CA).

Social Media Marketing Trends 2024 // The Global Indie Insights

Kurio // The Social Media Age(ncy)

The search marketing landscape is evolving rapidly with new technologies, and professionals, like you, rely on innovative paid search strategies to meet changing demands. It’s important that you’re ready to implement new strategies in 2024. Check this out and learn the top trends in paid search advertising that are expected to gain traction, so you can drive higher ROI more efficiently in 2024. You’ll learn: - The latest trends in AI and automation, and what this means for an evolving paid search ecosystem. - New developments in privacy and data regulation. - Emerging ad formats that are expected to make an impact next year. Watch Sreekant Lanka from iQuanti and Irina Klein from OneMain Financial as they dive into the future of paid search and explore the trends, strategies, and technologies that will shape the search marketing landscape. If you’re looking to assess your paid search strategy and design an industry-aligned plan for 2024, then this webinar is for you.

Trends In Paid Search: Navigating The Digital Landscape In 2024

Search Engine Journal

From their humble beginnings in 1984, TED has grown into the world’s most powerful amplifier for speakers and thought-leaders to share their ideas. They have over 2,400 filmed talks (not including the 30,000+ TEDx videos) freely available online, and have hosted over 17,500 events around the world. With over one billion views in a year, it’s no wonder that so many speakers are looking to TED for ideas on how to share their message more effectively. The article “5 Public-Speaking Tips TED Gives Its Speakers”, by Carmine Gallo for Forbes, gives speakers five practical ways to connect with their audience, and effectively share their ideas on stage. Whether you are gearing up to get on a TED stage yourself, or just want to master the skills that so many of their speakers possess, these tips and quotes from Chris Anderson, the TED Talks Curator, will encourage you to make the most impactful impression on your audience. See the full article and more summaries like this on SpeakerHub here: https://speakerhub.com/blog/5-presentation-tips-ted-gives-its-speakers See the original article on Forbes here: http://www.forbes.com/forbes/welcome/?toURL=http://www.forbes.com/sites/carminegallo/2016/05/06/5-public-speaking-tips-ted-gives-its-speakers/&refURL=&referrer=#5c07a8221d9b

5 Public speaking tips from TED - Visualized summary

SpeakerHub

Everyone is in agreement that ChatGPT (and other generative AI tools) will shape the future of work. Yet there is little consensus on exactly how, when, and to what extent this technology will change our world. Businesses that extract maximum value from ChatGPT will use it as a collaborative tool for everything from brainstorming to technical maintenance. For individuals, now is the time to pinpoint the skills the future professional will need to thrive in the AI age. Check out this presentation to understand what ChatGPT is, how it will shape the future of work, and how you can prepare to take advantage.

ChatGPT and the Future of Work - Clark Boyd

Clark Boyd

Getting into the tech field. what next

Tessa Mero

Google's Just Not That Into You: Understanding Core Updates & Search Intent

Lily Ray

How to have difficult conversations

Rajiv Jayarajah, MAppComm, ACC

Introduction to Data Science

Christy Abraham Joy

Time Management & Productivity - Best Practices

Vit Horky

The six step guide to practical project management If you think managing projects is too difficult, think again. We’ve stripped back project management processes to the basics – to make it quicker and easier, without sacrificing the vital ingredients for success. “If you’re looking for some real-world guidance, then The Six Step Guide to Practical Project Management will help.” Dr Andrew Makar, Tactical Project Management

The six step guide to practical project management

MindGenius

Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...

RachelPearson36

During this webinar, Anand Bagmar demonstrates how AI tools such as ChatGPT can be applied to various stages of the software development life cycle (SDLC) using an eCommerce application case study. Find the on-demand recording and more info at https://applitools.info/b59 Key takeaways: • Learn how to use ChatGPT to add AI power to your testing and test automation • Understand the limitations of the technology and where human expertise is crucial • Gain insight into different AI-based tools • Adopt AI-based tools to stay relevant and optimize work for developers and testers * ChatGPT and OpenAI belong to OpenAI, L.L.C.

Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...

Applitools

12 Ways to Increase Your Influence at Work

GetSmarter

ChatGPT webinar slides

Alireza Esmikhani

More than Just Lines on a Map: Best Practices for U.S Bike Routes

Project for Public Spaces & National Center for Biking and Walking

Has your project been caught in a storm of deadlines, clashing requirements, and the need to change course halfway through? If yes, then check out how the administration team navigated through all of this, relocating 160 people from 3 countries and opening 2 offices during the most turbulent time in the last 20 years. Belka Games’ Chief Administrative Officer, Katerina Rudko, will share universal approaches and life hacks that can help your project survive unstable periods when there seem to be too many tasks and a lack of time and people.

Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...

DevGAMM Conference

Barbie - Brand Strategy Presentation

Erica Santiago

According to the latest State of the American Manager report from Gallup, employees who have regular meetings with their managers are almost three times as likely to be engaged as those who don’t. These regular check-ins keep managers and employees in sync and aligned. Want to see better manager/employee relationships in your organisation? Then make an all-in commitment to 1:1 meetings. Not sure how? You’ve come to the right place. In this webinar with Jamie Resker, Founder and Practice Leader for Employee Performance Solutions (EPS), and Teala Wilson, Talent Management Consultant at Saba Software, you’ll get the inside track on how to hold effective 1:1 meetings, including tips for getting managers on board. • Go beyond discussing the status of everyday work to higher level topics, including recognition, performance, development, and career aspirations • Learn how to decide meeting frequency, what to cover, as well as roles and responsibilities of the manager and employee • Understand how managers can build trust and make it comfortable for employees to provide upward feedback • Unite your organisation with a unified approach to 1:1 meetings Join us for this 1-hour webinar to get practical tips for building better manager-employee relationships with intention and purpose. About the Speakers Jamie Resker - Founder and Practice Leader for Employee Performance Solutions (EPS) Jamie Resker, Practice Leader and Founder of Employee Performance Solutions, is a recognized innovator in performance management. She is the originator of the-the Performance Continuum Feedback Method® and Conversations to Optimize Employee Performance training program; tools and training that reshape communications between managers and employees to drive and align performance. Jamie is on the faculty for the Northeast Human Resources Association, is a contributor to Halogen Software's Talent Space Blog, and is an editorial advisory board member for HR Examiner. Teala Wilson - Senior Consultant, Strategic Services, Saba Software Teala is a Talent Management Consultant at Halogen Software, now a part of Saba Software. She has worked with teams on a national and global level supporting human resources in areas such as performance management, recruitment, employee benefit programs, training and talent development, workforce planning and internal communications. Teala also has a personal passion for visual arts and design. Want to learn more? Join us for an upcoming Product Tour! http://bit.ly/2yitfqu

Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well

Saba Software

Destacado (20)

Content Methodology: A Best Practices Report (Webinar)

How to Prepare For a Successful Job Search for 2024

Social Media Marketing Trends 2024 // The Global Indie Insights

Trends In Paid Search: Navigating The Digital Landscape In 2024

5 Public speaking tips from TED - Visualized summary

ChatGPT and the Future of Work - Clark Boyd

Getting into the tech field. what next

Google's Just Not That Into You: Understanding Core Updates & Search Intent

How to have difficult conversations

Introduction to Data Science

Time Management & Productivity - Best Practices

The six step guide to practical project management

Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...

Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...

12 Ways to Increase Your Influence at Work

ChatGPT webinar slides

More than Just Lines on a Map: Best Practices for U.S Bike Routes

Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...

Barbie - Brand Strategy Presentation

Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well

Clickjacking

1. Click jacking 以全台灣最大間的 BSP 無名小站為例 http://www.w retch .cc 阿白就甘心系列

2. 什麼是 Clickjacking? 一種妨礙瀏覽者瀏覽網頁的手法

3. 怎麼樣的手法？我要強暴你的滑鼠在網站內的特定區塊上植入惡意的程式碼或 HTML 、 CSS 語法企圖改變網站原先應該呈現的內容，讓瀏覽者在不知情的情況下被導向到其他頁面或做不想做的事。

4. 為何存在？目的為何？ ‧ 以為姜太空釣魚 ‧ 牧羊童去牧馬 ‧ 為了更多更多的資料 ‧ 景氣差拼現金我最愛 ‧ 無名正妹自拍視訊流出 ‧ 我家太陰了…沒人氣這個問題問的很好！

5. 以無名小站為例，實作一下吧 ! 幹

6. 做菜，沒食材？去吃屎！主食材：一張透空的 GIF 圖片、無名小站帳號副食材： CSS 語法、你的大腦作法：看投影片。我們要用一種有點迂迴的手法來展示 Click jacking 的威力。

7. 實作 Clickjacking(1) 先來利用影像處理軟體製作一張畫面透空的 GIF 圖片檔

8. 實作 Clickjacking(2) 然後上傳圖片到你的無名相簿 ( 它真的有在畫面上！ )

9. 實作 Clickjacking(3) 接著到你的無名網誌上發表一篇新文章插入剛上傳的透明圖片，並且幫它上一個連結 ( 看你想要讓瀏覽者被導向到哪裡去 )

10. 實作 Clickjacking(4) 好，現在你的網誌上有一張透明的圖片存在了 ( 白框的就是透明圖片 )

11. 實作 Clickjacking(5) 接下來，我們要利用 CSS 語法將這張圖片放到最大、將他放置在網頁最上方佔滿整個頁面，並且儲存該 CSS 語法註 1 ：讓 HTML 的所有元素可以放到最大註 2 ：將文章內的圖片元素，佔滿整個網頁

12. 實作 Clickjacking( 完成 !) 儲存 CSS 語法後，回到網誌首頁。也許你目前看不出來有什麼異樣，但接下來你只要點到網頁上的任何一處，都會被帶到你所指定的頁面上！ ( 此時可以宣告你的滑鼠控制權完全被剝奪了。 )

13. 這是一場攻與防的戰爭既然知道如何攻擊手法了，也要學著怎麼防守吧？ ( 假設您的網站 HTML 、 CSS 、外掛程式都必須提供給使用者使用 ) 除了搭配 HTML Filter ，還必須要利用 CSS 優先權的關係，另外製作一份 CSS 檔案讓網頁載入，讓惡意語法起不了作用。 ★★★★ CSS 、 HTML 語法混和攻擊實作 HTML Filter 建立標籤、屬性白名單，並且重構 HTML 語法。 ★★★☆ 透過變異的 HTML 語法進行攻擊嚴格審核 / 控管程式碼，只有審核通過的程式碼才能供使用者使用。至少出事的時候能找到作者負起責任。建議的解決方案 ★★ 透過 JavaScript, VBScript 等程式碼攻擊防守難度攻擊方式

14. 最後 ‧ ‧ ‧ ‧ ‧

15. 我還有工作要做……因為想到 Schedule 就狂冒冷汗… 沒了 Author : 阿白 @HACKERSHOW MSN : [email_address] 為台灣資訊安全付出一點心力 2009/2/12

Clickjacking

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (20)

Clickjacking