java 客户端跨帧脚本攻击解决方案
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27782673/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Client Cross Frame Scripting Attack resolution
提问by Tushar
We have developed a new application, and before moving the changes we did a static scan of code using checkmarx. There is a medium level vulnerablity that is found in the code named Client Cross Frame Scripting Attack.
我们开发了一个新应用程序,在移动更改之前,我们使用 checkmarx 对代码进行了静态扫描。在名为 Client Cross Frame Scripting Attack 的代码中发现了一个中等级别的漏洞。
This is detacted at first line of the JSP page :
这是在 JSP 页面的第一行中提取的:
<!DOCTYPE html>
Can you please help me understand this attack and what should be done to eliminate this?
你能帮我理解这种攻击吗?应该怎么做才能消除这种攻击?
回答by adar
The Client Cross Site Scripting Attackquery finds if the page protects itself against being embedded in an IFrame. It searches for conditions such as:
该客户端跨站脚本攻击的查询查找,如果页面保护自己防止被嵌入一个IFrame。它搜索条件,例如:
if (top != self)
if (top.location != location)
if (top.frames.length != 0)
and so on.
等等。
This specific file, I believe, has no such conditions, so it MOST LIKELY does not protect itself, and this is why the query has found and marked it. Since we are looking for a missing line here, the result just shows you the file, and cannot show you where the problem is.
我相信这个特定的文件没有这样的条件,所以它很可能不保护自己,这就是查询找到并标记它的原因。由于我们在此处查找缺失的行,因此结果仅显示文件,而无法显示问题所在。
Hope it helps,
希望能帮助到你,
Adar from Checkmarx.
来自Checkmarx 的Adar 。
回答by Serj Sagan
For more depth to this issue, and to actually fix the Cross-Frame Scripting problem check out https://css-tricks.com/snippets/javascript/break-out-of-iframe/
要更深入地了解这个问题,并实际解决跨框架脚本问题,请查看https://css-tricks.com/snippets/javascript/break-out-of-iframe/
Basically throw this into your parent-most layout file (_Layout.cshtml in C# MVC)
基本上把它放到你最父级的布局文件中(C# MVC 中的 _Layout.cshtml)
(function (window) { // Prevent Cross-Frame Scripting attacks
if (window.location !== window.top.location)
window.top.location = window.location;
})(this);
回答by ronak soni
Just add the following piece of code in your HTML file.
只需在您的 HTML 文件中添加以下代码。
<style id='antiClickHyman'>
body{display:none !important;}
</style>
<script type='text/javascript'>
if (self === top) {
var antiClickHyman = document.getElementById('antiClickHyman');
antiClickHyman.parentNode.removeChild(antiClickHyman);
} else {
top.location = self.location;
}
</script>
