点击劫持漏洞 “Clickjacking: X-Frame-Options header missing”

“Clickjacking（点击劫持）是由互联网安全专家罗伯特·汉森和耶利米·格劳斯曼在2008年提出的。是一种视觉欺骗手段，在web端就是iframe嵌套一个透明不可见的页面，让用户在不知情的情况下，点击攻击者想要欺骗用户点击的位置。”

　　我们可以通过配置过滤器来解决。

1.Apache配置X-Frame-Options   ,httpd.conf 添加Header always append X-Frame-Options SAMEORIGIN

2.在项目里添加过滤器；

2.1 代码配置

/**
 *  Software published by the Open Web Application Security Project (http://www.owasp.org)
 *  This software is licensed under the new BSD license.
 *
 * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
 * @created    February 6, 2009
 */


import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class ClickjackFilter implements Filter
{

    private String mode = "DENY";
    
    /**
     * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
     * decide to implement) not to display this content in a frame. For details, please
     * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
    {
        HttpServletResponse res = (HttpServletResponse)response;
        chain.doFilter(request, response);
        System.out.println("限制mode============"+mode);
        res.addHeader("X-FRAME-OPTIONS",mode );            
    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) {
         System.out.println("限制mode   init============"+mode);
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }
    
}

 

2.2 xml配置

<filter>
        <filter-name>ClickjackFilterDeny</filter-name>
        <filter-class>cn.aresoft.web.servlet.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <filter-class>cn.aresoft.web.servlet.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>DENY</param-value>
        </init-param>
    </filter>

    <!--  use the Deny version to prevent anyone, including yourself, from framing the page -->
    <filter-mapping>
        <filter-name>ClickjackFilterDeny</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>


    <!-- use the SameOrigin version to allow your application to frame, but nobody else -->
    <filter-mapping>
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>