开发者

Getting Past Facebooks Iframe Block

Well on Facebook they seem to have a 开发者_运维技巧block which prevents you from loading an iframe of their website.

When you do, they lock complete functionality of their website example.

I'm just wondering if anyone knows how you could bypass this?


If they did not prevent this, an attacker could load Facebook pages into an transparent iframe and put something interesting below it. Lets asume a victim has logged in to facebook and then visits the website of the attacker (after some time, in another tab).

The victim will click on something on the attacker's website. But in fact it is clicking onto the transparent iframe and triggering some action on the facebook website. The browser will of course sent the session cookie to Facebook and Facebook sees a legitimate action by an logged in user.

Wikipedia has an article on Clickjacking: http://en.wikipedia.org/wiki/Clickjacking

This attack can be prevented using the unofficial X-Frame-Option http header as described on http://www.webmasterworld.com/webmaster/4022867.htm Unfortunately not all browsers support it, so a frame breaking java script is required, too.


If you can do that, facebook faces a serious security threat.

I say forget it, even if a method is found, facebook would soon block it, and the method will fail then.

Unless, you are doing something naughty and you only need something that works now.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜