CN111131223B - Test method and device for click hijacking - Google Patents
Test method and device for click hijacking Download PDFInfo
- Publication number
- CN111131223B CN111131223B CN201911327884.0A CN201911327884A CN111131223B CN 111131223 B CN111131223 B CN 111131223B CN 201911327884 A CN201911327884 A CN 201911327884A CN 111131223 B CN111131223 B CN 111131223B
- Authority
- CN
- China
- Prior art keywords
- click
- testing
- exists
- hijacking
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000010998 test method Methods 0.000 title claims description 3
- 238000012360 testing method Methods 0.000 claims abstract description 93
- 238000000034 method Methods 0.000 claims abstract description 26
- 230000004044 response Effects 0.000 claims abstract description 11
- 230000008569 process Effects 0.000 claims description 9
- 238000004088 simulation Methods 0.000 claims 2
- 238000001514 detection method Methods 0.000 abstract description 5
- 230000000694 effects Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Abstract
The embodiment of the invention discloses a method and a device for testing click hijacking, which comprises the steps of creating an HTTP session, acquiring a target webpage source code, and sequentially checking whether a security field X-Frame-Options exists in a response header; checking a tag in a webpage source code, and judging whether an iframe form exists in the tag or not; searching whether a button exists in the label; and determining whether to test the click hijack vulnerability according to the detection result. The invention analyzes the necessary conditions for the occurrence of the click hijacking, and before testing, firstly, the necessary conditions for forming the click hijacking risk are as follows: if the conditions are met, the fact that the risk of clicking hijacking does not exist in the webpage is proved, the button in the label is prevented from being tested, testing time is saved, and testing efficiency is greatly improved.
Description
Technical Field
The invention relates to the technical field of vulnerability defense, in particular to a method and a device for testing click hijacking.
Background
Click hijacking is a visual deception means, an attacker covers a webpage with a transparent and invisible iframe, then induces a user to operate on the webpage, and at the moment, the user clicks the transparent iframe page under the unknown condition. The transparent page may contain some dangerous actions such as paying, downloading trojans, etc., but the actual user cannot see the transparent page, but rather a seemingly secure website that the attacker wants you to see. And an attacker adjusts the position of the iframe page through the CSS to induce a user to click on some functional buttons of the iframe page right to finish the attack.
The traditional click hijacking detection is to traverse the buttons of the web pages, test all the buttons of the web pages one by one, match data of each page one by one, and has low test efficiency.
Disclosure of Invention
The embodiment of the invention provides a method and a device for testing click hijacking, which aim to solve the problem of low testing efficiency in the prior art.
In order to solve the technical problem, the embodiment of the invention discloses the following technical scheme:
the invention provides a method for testing click hijacking in a first aspect, which comprises the following steps:
creating an HTTP session, acquiring a target webpage source code, and checking whether a security field X-Frame-Options exists in a response header;
if the security field does not exist, checking a tag in the webpage source code, and judging whether an iframe form exists in the tag or not;
if the iframe form exists, searching whether a button exists in the label or not;
if not, no click hijacking risk exists, and if yes, the click hijacking risk is prompted to exist.
And further, acquiring the target webpage source code through a web crawler, and checking whether a security field exists through regular matching.
Further, the specific process of retrieving whether the button exists in the tag is as follows:
defining a button keyword, wherein the button keyword is a key word necessary for button;
searching whether the button keywords exist in the webpage source codes or not;
if so, the button exists, otherwise, the button does not exist.
Further, the method is characterized in that after the click hijacking risk is prompted, the method further comprises the following steps:
and testing whether a click hijacking vulnerability exists.
Further, the specific process of testing whether the click hijack vulnerability exists is as follows:
and performing white list library collision test on all the buttons of the current webpage, wherein if all the buttons are in the white list, the current webpage has no click hijack vulnerability, and otherwise, the current webpage has the click hijack vulnerability.
Further, the specific process of testing whether the click hijack vulnerability exists is as follows:
and performing simulated click test on all the buttons of the current webpage, wherein if all the buttons are safe after simulated click, the current webpage has no click hijack loophole, and otherwise, the current webpage has click hijack loophole.
The second aspect of the present invention provides a device for testing click hijacking, wherein the device comprises:
the pretesting module is used for acquiring a source code of a target webpage, sequentially judging whether security fields X-Frame-Options, iframe forms and buttons exist or not, and determining whether to perform vulnerability testing according to a judgment result;
and the vulnerability testing module is used for testing the vulnerabilities of all buttons in the webpage and judging the click hijack vulnerabilities of the current webpage.
Further, the pretest module comprises:
the first pre-testing unit is used for checking whether a safety field exists in the response head, if so, the testing is finished, and if not, the second pre-testing unit is switched to;
the second pre-testing unit is used for judging whether an iframe form exists in the label or not, if not, the test is ended, and if yes, the test is transferred to the third pre-testing unit;
and the third pretesting unit is used for judging whether a button exists in the label or not, if not, ending the test, and if so, turning to the vulnerability testing module.
Further, the vulnerability testing module comprises:
and the white list library-bumping test unit is used for performing white list library-bumping test on all buttons of the current webpage and judging whether the current webpage has a click hijack vulnerability.
Further, the vulnerability testing module comprises:
and the simulated click testing unit is used for carrying out simulated click operation on all buttons of the current webpage and judging whether the current webpage has a click hijack vulnerability.
The test device for click hijacking according to the second aspect of the present invention can implement the methods of the first aspect and the implementation manners of the first aspect, and achieve the same effects.
The effects provided in the summary of the invention are only the effects of the embodiments, not all of the effects of the invention, and one of the above technical solutions has the following advantages or beneficial effects:
according to the method, through analysis of necessary conditions required by the occurrence of the click hijacking, before testing, the conditions that the necessary conditions for forming the click hijacking risk do not have the safety field, the iframe exists in the label and the button exists in the label are tested, and if the conditions are met, the condition proves that the click hijacking risk does not exist in the webpage, the buttons in the label do not need to be tested one by one, so that the testing time is saved, and the testing efficiency is greatly improved.
Drawings
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present invention, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
FIG. 1 is a schematic flow diagram of the process of the present invention;
FIG. 2 is a schematic structural diagram of an embodiment 1 of the apparatus of the present invention;
fig. 3 is a schematic structural diagram of an embodiment 2 of the device of the invention.
Detailed Description
In order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Moreover, the present disclosure may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.
The insufficient conditions for click hijacking are 1, with an iframe tag 2, with a button. In addition, the x-Frame-Options prevents click hijacking by disabling iframe loaded pages, so that 3.X-Frame-Options can be used as a sufficient unnecessary condition for no click hijacking. When the fact that whether the click hijacking loophole exists is formally determined, testing is carried out through a traditional testing method. In fact, most web pages can already be filtered based on button and iframe forms.
As shown in fig. 1, the method for testing click hijacking of the present invention comprises the following steps:
creating an HTTP session, acquiring a target webpage source code, and checking whether a security field X-Frame-Options exists in a response header;
if yes, no click hijacking risk exists, and if not, the next step is executed;
checking a tag in a webpage source code, and judging whether an iframe form exists in the tag or not;
if not, no click hijacking risk exists, and if yes, the next step is executed;
searching whether a button exists in the label or not;
if not, no click hijacking risk exists, and if yes, the click hijacking risk is prompted to exist.
Click hijacking utilizes iframe coverage of the web page, and achieves attack through a series of operations which attract users to click buttons, and the security field X-Frame-Options in the response header is an option for forbidding loading of the Frame page. Based on this, we first check if the security field X-Frame-Options exists in the response header.
The HTTP session can be established by adopting the prior art of a packet capturing tool, a packet sending tool, a browser and the like, a target webpage source code is obtained through a web crawler, and whether a security field exists or not is judged through regular matching or a distance vector.
And checking the source code of the website through an HTTP session tool so as to judge whether the label exists, and searching whether an iframe form exists in the webpage source code label of the session.
And searching whether a button exists in the label or not by combining a crawler with regular matching, wherein the crawler is a tool for automatically acquiring webpage response, and the regular matching is to search the keywords in the file according to the formulated character string. The specific process is as follows:
defining a button keyword, wherein the button keyword is a button necessary keyword;
searching whether a button keyword exists in a webpage source code;
if so, the button exists, otherwise, the button does not exist.
The verification of the security field, the iframe and the button is carried out in sequence in the embodiment, the testing efficiency can be obviously improved, the risk of clicking hijacking cannot exist as long as the security field exists in the webpage, and the workload is smaller for the detection of the security field compared with the detection of the button.
The necessity for iframe detection is determined by, for example: if the html file with the button attribute exists and the security response header does not exist, the click hijacking test is required to be carried out if the iframe is not detected, and actually, the html file does not have the iframe label, so that the click hijacking test is not required according to the scheme. The present invention can improve the efficiency of the test for such a case.
And after the fact that the risk of click hijacking exists is prompted, whether the vulnerability of click hijacking is tested is also tested.
There are two ways to test whether there is a click hijack vulnerability, one of which is specifically:
and performing white list library collision test on all the buttons of the current webpage, wherein if all the buttons are in the white list, the current webpage does not have a click hijacking vulnerability, otherwise, the current webpage has a click hijacking vulnerability.
Another way to test whether there is a click hijack vulnerability is provided, which comprises the following specific processes:
and performing simulated click test on all the buttons of the current webpage, wherein if all the buttons are safe after simulated click, the current webpage has no click hijack loophole, and otherwise, the current webpage has click hijack loophole.
As shown in fig. 2 and 3, the click hijacking test device of the present invention includes a pre-test module 1 and a vulnerability test module 2. The pretesting module 1 is configured to obtain a source code of a target webpage, sequentially determine whether security fields X-Frame-Options, iframe forms, and buttons exist, and determine whether to perform a vulnerability test according to a determination result. The vulnerability testing module 2 is used for testing vulnerabilities of all buttons in the webpage and judging click hijack vulnerabilities of the current webpage.
The vulnerability testing module 2 comprises a white list library-impacting testing unit 21, and the white list library-impacting testing unit 21 is used for performing white list library-impacting testing on all buttons of the current webpage and judging whether the current webpage has a click hijack vulnerability.
The vulnerability testing module 2 simulates a click testing unit 22, and the click simulating testing unit 22 is used for performing click simulating operation on all buttons of the current webpage and judging whether the current webpage has a click hijacking vulnerability.
Although the embodiments of the present invention have been described with reference to the accompanying drawings, it is not intended to limit the scope of the present invention, and it should be understood by those skilled in the art that various modifications and variations can be made without inventive efforts by those skilled in the art based on the technical solution of the present invention.
Claims (9)
1. A test method for click hijacking is characterized by comprising the following steps:
creating an HTTP session, acquiring a target webpage source code, and checking whether a security field X-Frame-Options exists in a response header;
if the security field does not exist, checking a label in the webpage source code, and judging whether an iframe form exists in the label or not;
if the iframe form exists, searching whether a button exists in the label;
if not, no click hijacking risk exists, and if yes, the click hijacking risk is prompted to exist.
2. The method as claimed in claim 1, wherein the target web page source code is obtained by web crawler, and checking whether there is a security field by regular matching.
3. The method for testing click hijacking according to claim 1, wherein the specific process of retrieving whether a button exists in the tag is as follows:
defining a button keyword, wherein the button keyword is a key word necessary for button;
searching whether the button keywords exist in the webpage source codes or not;
if so, the button exists, otherwise, the button does not exist.
4. A method for testing click hijacking according to any one of claims 1 to 3, wherein after prompting the presence of a risk of click hijacking, said method further comprises the steps of:
and testing whether a click hijacking vulnerability exists.
5. The method for testing click hijacking according to claim 4, wherein the specific process for testing whether the click hijacking vulnerability exists is as follows:
and performing white list library collision test on all the buttons of the current webpage, wherein if all the buttons are in the white list, the current webpage has no click hijack vulnerability, and otherwise, the current webpage has the click hijack vulnerability.
6. The method for testing click hijacking according to claim 4, wherein the specific process for testing whether the click hijacking vulnerability exists is as follows:
and performing simulated click test on all the buttons of the current webpage, wherein if all the buttons are safe after simulated click, the current webpage does not have click hijacking loopholes, and otherwise, the current webpage has click hijacking loopholes.
7. A test device for click hijacking, the device comprising:
the pretesting module is used for acquiring a source code of a target webpage, sequentially judging whether a security field X-Frame-Options, an iframe form and a button exist or not, and determining whether to perform vulnerability testing or not according to a judgment result;
the vulnerability testing module is used for testing vulnerabilities of all buttons in the webpage and judging click hijack vulnerabilities of the current webpage;
the pretest module includes:
the first pre-testing unit is used for checking whether a safety field exists in the response head, if so, the testing is finished, and if not, the second pre-testing unit is switched to;
the second pre-testing unit is used for judging whether an iframe form exists in the label or not, if not, the test is ended, and if yes, the test is transferred to the third pre-testing unit;
and the third pretesting unit is used for judging whether a button exists in the label or not, if not, ending the test, and if so, turning to the vulnerability testing module.
8. The device of claim 7, wherein the vulnerability testing module comprises:
and the white list library-bumping test unit is used for performing white list library-bumping test on all buttons of the current webpage and judging whether the current webpage has a click hijack vulnerability.
9. The device of claim 7, wherein the vulnerability testing module comprises:
and the click simulation testing unit is used for performing click simulation operation on all buttons of the current webpage and judging whether the current webpage has a click hijack vulnerability.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911327884.0A CN111131223B (en) | 2019-12-20 | 2019-12-20 | Test method and device for click hijacking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911327884.0A CN111131223B (en) | 2019-12-20 | 2019-12-20 | Test method and device for click hijacking |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111131223A CN111131223A (en) | 2020-05-08 |
| CN111131223B true CN111131223B (en) | 2022-12-20 |
Family
ID=70500736
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911327884.0A Active CN111131223B (en) | 2019-12-20 | 2019-12-20 | Test method and device for click hijacking |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131223B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113158187B (en) * | 2021-03-26 | 2022-12-23 | 杭州数梦工场科技有限公司 | Method and device for detecting click hijacking and electronic equipment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105245550A (en) * | 2015-10-29 | 2016-01-13 | 广州酷狗计算机科技有限公司 | Domain name hijacking judgment method and device |
-
2019
- 2019-12-20 CN CN201911327884.0A patent/CN111131223B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105245550A (en) * | 2015-10-29 | 2016-01-13 | 广州酷狗计算机科技有限公司 | Domain name hijacking judgment method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111131223A (en) | 2020-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20240121266A1 (en) | Malicious script detection | |
| US10503910B2 (en) | Security testing framework including virtualized server-side platform | |
| JP5497173B2 (en) | XSS detection method and apparatus | |
| US10601865B1 (en) | Detection of credential spearphishing attacks using email analysis | |
| JP6624771B2 (en) | Client-based local malware detection method | |
| CN104995630B (en) | Computing system and method for security test | |
| US10505966B2 (en) | Cross-site request forgery (CSRF) vulnerability detection | |
| US20140173736A1 (en) | Method and system for detecting webpage Trojan embedded | |
| CN110460612B (en) | Security test method, device, storage medium and apparatus | |
| US20140109227A1 (en) | Transforming unit tests for security testing | |
| CN110929264B (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| CN101820419A (en) | Method for automatically positioning webpage Trojan mount point in Trojan linked webpage | |
| CN107463844B (en) | WEB Trojan horse detection method and system | |
| CN105959324A (en) | Regular matching-based network attack detection method and apparatus | |
| CN113259321A (en) | System and method for verifying security awareness of personnel on network attack and utilization | |
| CN107103237A (en) | A kind of detection method and device of malicious file | |
| Wang et al. | A new cross-site scripting detection mechanism integrated with HTML5 and CORS properties by using browser extensions | |
| Hou et al. | A dynamic detection technique for XSS vulnerabilities | |
| CN113158197A (en) | SQL injection vulnerability detection method and system based on active IAST | |
| CN111131223B (en) | Test method and device for click hijacking | |
| Liu et al. | A XSS vulnerability detection approach based on simulating browser behavior | |
| CN111125704B (en) | Webpage Trojan horse recognition method and system | |
| Priya et al. | A static approach to detect drive-by-download attacks on webpages | |
| CN109818954B (en) | Web injection type attack detection method and device, electronic equipment and storage medium | |
| KR20210076455A (en) | Method and apparatus for automated verifying of xss attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |