如何在 Java 应用程序中防止帧注入(点击劫持)?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/29845714/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to prevent frame injection (clickHymaning) in java application?
提问by Hargovind Singh
How can we prevent frame injection in Java application?
我们如何防止 Java 应用程序中的帧注入?
Like in a Penetration testing, it is found that if a hacker drafts a demo html page, and inside that page he has used iframe, which has the URL of the working application, he/she can see the data through that URL/request(created in an iframe).
就像在渗透测试中一样,发现如果黑客草拟了一个演示 html 页面,并且在该页面中他使用了具有工作应用程序 URL 的 iframe,他/她可以通过该 URL/请求看到数据(在 iframe 中创建)。
suppose this is the hackers file, test.html:
假设这是黑客文件 test.html:
<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head><body>
<iframe id="inner" src="http://hostname:8080/Application_Name/ABC/DEF/SomePage.jsp?ABC=QWERTYL&XYZ=1&CDE=24" width="600" height="400" scrolling="yes">
</iframe>
</body>
</html>
And now the hacker is able to retrieve the data within the application. How to stop this?
现在黑客能够检索应用程序中的数据。如何阻止这个?
回答by mies
This is clickHymaning attack: https://www.owasp.org/index.php/ClickHymaningThe simpliest way to prevent it is to add header "X-Frame-Options" with value "DENY". This can be done using filter. Register it in your web.xml and use code like this:
这是点击劫持攻击:https://www.owasp.org/index.php/ClickHymaning 防止它的最简单方法是添加值为“DENY”的标题“X-Frame-Options”。这可以使用filter来完成。在您的 web.xml 中注册它并使用如下代码:
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException,
ServletException {
HttpServletResponse response = (HttpServletResponse) resp;
response.addHeader("X-Frame-Options", "DENY");
chain.doFilter(req, resp);
}
All modern browsers support this header, but to protect users with legacy browsers you will need also defensive javascript in the UI. More details: https://www.owasp.org/index.php/ClickHymaning_Defense_Cheat_Sheet
所有现代浏览器都支持此标头,但为了保护使用旧版浏览器的用户,您还需要在 UI 中使用防御性 javascript。更多详情:https: //www.owasp.org/index.php/ClickHymaning_Defense_Cheat_Sheet
