“Clickjacking”的意思、由来-开放百科全书

词条 Clickjacking

释义

History
Description
Clickjacking categories
Classic Likejacking Nested Cursorjacking Browserless Cookiejacking Filejacking Password manager attack
Prevention
Client-side NoScript GuardedID Gazelle Server-side Framekiller X-Frame-Options Content Security Policy
See also
References

{{Missing information|the etymology of the subject's name|date=July 2018}}{{Use dmy dates|date=July 2013}}Clickjacking (classified as a User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.^[1]^[2]^[3]^[4]

In web browsers, clickjacking is a browser security issue that is a vulnerability across a variety of browsers and platforms. Clickjacking can also take place outside of web browsers, including applications.^[5]

A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.^[6]

Clickjacking is an instance of the confused deputy problem, wherein a computer is innocently fooled into misusing its authority.^[7]

History

In 2002, it had been noted that it was possible to load a transparent layer over a web page and have the user's input affect the transparent layer without the user noticing. However, this was mainly ignored as a major issue until 2008.^[5]

In 2008, Jeremiah Grossman and Robert Hansen had discovered that Adobe Flash Player was able to be clickjacked, allowing an attacker to gain access of the computer without the user's knowledge.^[5]

The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen, ^[8]^[9] a portmanteau of the words "click" and "hijacking." ^[5]

As more attacks of a similar nature were discovered, the focus of the term "UI redressing" was changed to describe the category of these attacks, rather than just clickjacking itself.^[5]

Description

Clickjacking takes advantage of vulnerabilities that are present in applications and web pages to allow the attacker to manipulate the user's computer.

For example, a clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The unsuspecting users think that they are clicking visible buttons, while they are actually performing actions on the invisible page. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.

Clickjacking is not limited to this type though, and are present in other forms.

Clickjacking categories

Classic: works mostly through a web browser^[5]
Likejacking: utilizes Facebook's social media capabilities^[10]^[11]
Nested: clickjacking tailored to affect Google+^[12]
Cursorjacking: manipulates the cursor's appearance and location^[5]
Browserless: does not use a browser^[5]
Cookiejacking: acquires cookies from browsers^[5]^[13]
Filejacking: capable of setting up the affected device as a file server^[5]^[14]
Password manager attack: clickjacking that utilizes a vulnerability in the autofill capability of browsers^[15]

Classic

Classic clickjacking refers to when an attacker uses hidden layers on web pages to manipulate the actions a user's cursor does, resulting in the user being mislead about what truly is being clicked on.

A user might receive an email with a link to a video about a news item, but another webpage, say a product page on Amazon, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon. The hacker can only send a single click, so they rely on the fact that the visitor is both logged into Amazon.com and has 1-click ordering enabled.

While technical implementation of these attacks may be challenging due to cross-browser incompatibilities, a number of tools such as BeEF or Metasploit Project offer almost fully automated exploitation of clients on vulnerable websites. Clickjacking may be facilitated by - or may facilitate - other web attacks, such as XSS.^[16]^[17]

Likejacking

Likejacking is a malicious technique of tricking users of a website into "liking" a Facebook page that they did not intentionally mean to "like".^[18] The term "likejacking" came from a comment posted by Corey Ballou in the article How to "Like" Anything on the Web (Safely),^[19] which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button.^[20]

According to an article in IEEE Spectrum, a solution to likejacking was developed at one of Facebook's hackathons.^[21] A "Like" bookmarklet is available that avoids the possibility of likejacking present in the Facebook like button.^[22]

Nested

Nested clickjacking, compared to classic clickjacking, works by embedding a malicious web frame between two frames of the original, harmless web page: that from the framed page and that which is displayed on the top window. This works due to a vulnerability in the HTTP header X-Frame-Options, in which, when this element has the value SAMEORIGIN, the web browser only checks the two aforementioned layers. The fact that additional frames can be added in between these two while remaining undetected means that attackers can use this for their benefit.

In the past, with Google+ and the faulty version of X-Frame-Options, attackers were able to insert frames of their choice by using the vulnerability present in Google's Image Search engine. In between the image display frames, which were present in Google+ as well, these attacker-controlled frames were able to load and not be restricted, allowing for the attackers to mislead whoever came upon the image display page.^[12]

Cursorjacking

Cursorjacking is a UI redressing technique to change the cursor from the location the user perceives, discovered in 2010 by Eddy Bordi, a researcher at Vulnerability.fr,^[23] Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich by hiding the cursor.^[24]^[25]

Jordi Chancel, a researcher at Alternativ-Testing.fr, discovered a cursorjacking vulnerability using Flash, HTML and JavaScript code in Mozilla Firefox on Mac OS X systems (fixed in Firefox 30.0) which can lead to arbitrary code execution and webcam spying.^[26]

A second CursorJacking vulnerability was again discovered by Jordi Chancel in Mozilla Firefox on Mac OS X systems (fixed in Firefox 37.0) using once again Flash, HTML and JavaScript code which can lead also to the spying of the webcam and the execution of a malicious addon allowing the execution of a malware on the computer of the trapped user.^[27]

Browserless

In browserless clickjacking, attackers utilize vulnerabilities in programs to replicate classic clickjacking in them, without being required to use the presence of a web browser.

This method of clickjacking is mainly prevalent among mobile devices, usually on Android devices, especially due to the way in which toast notifications work. Because toast notifications have a small delay in between the moment the notification is requested and the moment the notification actually displays on-screen, attackers are capable of using that gap to create a dummy button that lies hidden underneath the notification and can still be clicked on.^[5]

Cookiejacking

Cookiejacking is a form of clickjacking in which cookies are stolen from web browsers. This is done by tricking the user into dragging an object which seemingly appears harmless, but is in fact making the user select the entire content of the cookie being targeted. From there, the attacker can acquire the cookie and all of the data that is within it.^[13]

Filejacking

In filejacking, attackers use the web browser's capability to navigate through the computer and access computer files in order to acquire personal data. It does so by tricking the user into establishing an active file server (through the file and folder selection window that browsers use). With this, attackers can now access and take files from their victims' computers.^[14]

Password manager attack

A 2014 paper from researcher at the Carnegie Mellon University found that while browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, some password managers would insecurely fill in passwords for the http version of https-saved passwords. Most managers did not protect against iFrame- and redirection-based attacks and exposed additional passwords where password synchronization had been used between multiple devices.^[15]

Prevention

Client-side

NoScript

Protection against clickjacking (including likejacking) can be added to Mozilla Firefox desktop and mobile^[28] versions by installing the NoScript add-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets.^[29] According to Google's "Browser Security Handbook" from year 2008, NoScript's ClearClick is "the only freely available product that offers a reasonable degree of protection" against Clickjacking.^[30] Protection from the newer cursorjacking attack was added to NoScript 2.2.8 RC1.^[24]

GuardedID

GuardedID (a commercial product) includes client-side clickjack protection for users of Internet Explorer and Firefox^[31] without interfering with the operation of legitimate iFrames. GuardedID clickjack protection forces all frames to become visible.

Gazelle

Gazelle is a Microsoft Research project secure web browser based on IE, that uses an OS-like security model, and has its own limited defenses against clickjacking.^[32] In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.

Server-side

Framekiller

Web site owners can protect their users against UI redressing (frame based clickjacking) on the server side by including a framekiller JavaScript snippet in those pages they do not want to be included inside frames from different sources.^[30]

Such JavaScript-based protection, unfortunately, is not always reliable. This is especially true on Internet Explorer,^[30] where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an element.[33]<h4>X-Frame-Options</h4>Introduced in 2009 in Internet Explorer 8 was a new HTTP header <code>X-Frame-Options</code> which offered a partial protection against clickjacking[34][35] and was shortly after adopted by other browsers (Safari,[36] Firefox,[37] Chrome,[38] and Opera[39]). The header, when set by website owner, declares its preferred framing policy: values of <code>DENY</code>, <code>SAMEORIGIN</code>, or <code>ALLOW-FROM origin</code> will prevent any framing, framing by external sites, or allow framing only by the specified site, respectively. In addition to that, some advertising sites return a non-standard <code>ALLOWALL</code> value with the intention to allow framing their content on any page (equivalent of not setting X-Frame-Options at all).In 2013 the X-Frame-Options header has been officially published as RFC 7034,[40] but is not an internet standard. The document is provided for informational purposes only. The W3C's Content Security Policy Level 2 Recommendation provides an alternative security directive, frame-ancestors, which is intended to obsolete the X-Frame-Options header.[41]A security header like X-Frame-Options will not protect users against clickjacking attacks that are not using a frame[42].<h4>Content Security Policy</h4>The <code>frame-ancestors</code> directive of Content Security Policy (introduced in version 1.1) can allow or disallow embedding of content by potentially hostile pages using iframe, object, etc. This directive obsoletes the X-Frame-Options directive. If a page is served with both headers, the frame-ancestors policy should be preferred by the browser.[43]—although some popular browsers disobey this requirement.[44]Example frame-ancestors policies:<pre id='source'> # Disallow embedding. All iframes etc. will be blank, or contain a browser specific error page. Content-Security-Policy: frame-ancestors 'none' # Allow embedding of own content only. Content-Security-Policy: frame-ancestors 'self' # Allow specific origins to embed this content Content-Security-Policy: frame-ancestors www.example.com www.wikipedia.org</pre><h2 style='border-bottom: 2px solid #eeeeee;'>See also</h2>{{Div col}}<ul><li> Browser security<li> Click fraud<li> Cross-site scripting<li> Internet safety<li> Internet security<li> Phishing<li> Security hacker<li> Social jacking</ul>{{div col end}}<h2 style='border-bottom: 2px solid #eeeeee;'>References</h2><div class='references-small'>1. ^{{cite web|url=http://www.pcworld.idg.com.au/index.php/id;979405561|title=At Adobe's request, hackers nix 'clickjacking' talk|author=Robert McMillan|date=17 September 2008|publisher=PC World|accessdate=2008-10-08}} 2. ^{{Cite news|url=http://infotech.indiatimes.com/quickiearticleshow/3543527.cms|title=Beware, clickjackers on the prowl|author=Megha Dhawan|date=29 September 2008|accessdate=2008-10-08|publisher=India Times}} 3. ^{{cite web|url=https://www.theregister.co.uk/2008/10/07/clickjacking_surveillance_zombie/|title=Net game turns PC into undercover surveillance zombie|author=Dan Goodin|date=7 October 2008|work=The Register|accessdate=2008-10-08}} 4. ^{{cite web|url=https://news.yahoo.com/s/nf/20081008/bs_nf/62355|title=Web Surfers Face Dangerous New Threat: 'Clickjacking'|author=Fredrick Lane|date=8 October 2008|work=|publisher=newsfactor.com|archiveurl=https://web.archive.org/web/20081013003436/http://news.yahoo.com/s/nf/20081008/bs_nf/62355|archivedate=13 October 2008|deadurl=yes|accessdate=2008-10-08}} 5. ^1 2 3 4 5 6 7 8 9 10 {{Cite web|url=https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf|title=UI Redressing Attacks on Android Devices|last=Niemietz|first=Marcus|date=2012|website=Black Hat|archive-url=|archive-date=|dead-url=|access-date=}} 6. ^{{cite web|url=https://www.pcworld.com/article/151677/clickjacking_vulnerability_to_be_revealed_next_month.html|title=Business Center: Clickjacking Vulnerability to Be Revealed Next Month|author=Sumner Lemon|date=30 September 2008|accessdate=2008-10-08}} 7. ^The Confused Deputy rides again!, Tyler Close, October 2008 8. ^You don't know (click)jack Robert Lemos, October 2008 9. ^{{Cite web|url=http://www.sectheory.com/clickjacking.htm|title=Facebook Help Number 1-888-996-3777|last=JAstine|first=Berry|accessdate=7 June 2016}} 10. ^{{Cite news|url=https://nakedsecurity.sophos.com/2010/05/31/viral-clickjacking-like-worm-hits-facebook-users/|title=Viral clickjacking ‘Like’ worm hits Facebook users|date=2010-05-31|work=Naked Security|access-date=2018-10-23|language=en-US}} 11. ^{{Cite news|url=https://nakedsecurity.sophos.com/2010/05/31/facebook-likejacking-worm/|title=Facebook Worm – “Likejacking”|date=2010-05-31|work=Naked Security|access-date=2018-10-23|language=en-US}} 12. ^1 {{Cite web|url=https://www.usenix.org/system/files/conference/woot12/woot12-final16.pdf|title=On the fragility and limitations of current Browser-provided Clickjacking protection schemes|last=Lekies|first=Sebastian|date=2012|website=USENIX|archive-url=|archive-date=|dead-url=|access-date=}} 13. ^1 {{Cite web|url=https://sites.google.com/site/tentacoloviola/cookiejacking|title=Cookiejacking|last=Valotta|first=Rosario|date=2011|website=tentacoloViola - sites.google.com|archive-url=|archive-date=|dead-url=|access-date=2018-10-23}} 14. ^1 {{Cite web|url=http://blog.kotowicz.net/2011/04/how-to-make-file-server-from-your.html|title=Filejacking: How to make a file server from your browser (with HTML5 of course)|website=blog.kotowicz.net|access-date=2018-10-23}} 15. ^1 {{cite web|url=https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-silver.pdf|title=Password Managers: Attacks and Defenses|accessdate=26 July 2015}} 16. ^{{cite web|url=http://www.exploit-db.com/papers/12987/|title=The Clickjacking meets XSS: a state of art|date=2008-12-26|publisher=Exploit DB|accessdate=2015-03-31}} 17. ^{{cite web|url=http://blog.kotowicz.net/2011/03/exploiting-unexploitable-xss-with.html|title=Exploiting the unexploitable XSS with clickjacking|author=Krzysztof Kotowicz|accessdate=2015-03-31}} 18. ^{{cite web|url=http://www.sophos.com/blogs/sophoslabs/?p=9783|title=Facebook Work - "Likejacking"|last=Cohen|first=Richard|date=31 May 2010|publisher=Sophos|accessdate=2010-06-05}} 19. ^{{cite web|url=http://www.jqueryin.com/2010/06/02/likejacking-term-catches-on/|title="Likejacking" Term Catches On|last=Ballou|first=Corey|date=2 June 2010|publisher=jqueryin.com|archiveurl=https://web.archive.org/web/20100605073625/http://www.jqueryin.com/2010/06/02/likejacking-term-catches-on/|archivedate=5 June 2010|deadurl=yes|accessdate=2010-06-08}} 20. ^{{cite web|url=http://www.readwriteweb.com/archives/likejacking_takes_off_on_facebook.php|title="Likejacking" Takes Off on Facebook|last=Perez|first=Sarah|date=2 June 2010|publisher=ReadWriteWeb|accessdate=2010-06-05}} 21. ^{{cite web|url=http://spectrum.ieee.org/at-work/innovation/facebook-philosophy-move-fast-and-break-things/2|title=Facebook Philosophy: Move Fast and Break Things|last=Kushner|first=David|date=June 2011|publisher=spectrum.ieee.org|accessdate=2011-07-15}} 22. ^{{cite news|url=https://readwrite.com/2010/04/22/how_to_like_anything_on_the_web_safely/|title=How to "Like" Anything on the Web (Safely)|last=Perez|first=Sarah|date=23 April 2010|work=ReadWriteWeb|accessdate=24 August 2011|archive-url=|archive-date=|dead-url=}} 23. ^{{cite web|url=http://podlipensky.com/2012/08/cursor-spoofing-cursorjacking/|title=Cursor Spoofing and Cursorjacking|last1=Podlipensky|first1=Paul|website=Podlipensky.com|publisher=Paul Podlipensky|accessdate=22 November 2017|ref=podlipensky}} 24. ^1 {{cite web|url=http://blog.kotowicz.net/2012/01/cursorjacking-again.html|title=Cursorjacking Again|author=Krzysztof Kotowicz|date=18 January 2012|accessdate=2012-01-31}} 25. ^{{cite web|url=https://www.aspectsecurity.com/news/application-security/cursor-jacking-attack-could-result-in-application-security-breaches-3/|title=Cursor-jacking attack could result in application security breaches|author=Aspect Security|date=|accessdate=2012-01-31}} 26. ^{{cite web|url=https://www.mozilla.org/security/announce/2014/mfsa2014-50.html|title=Mozilla Foundation Security Advisory 2014-50|publisher=Mozilla|accessdate=17 August 2014}} 27. ^{{cite web|url=https://www.mozilla.org/en-US/security/advisories/mfsa2015-35/|title=Mozilla Foundation Security Advisory 2015-35|publisher=Mozilla|accessdate=25 October 2015}} 28. ^{{cite web|url=http://noscript.net/nsa/|title=NoScript Anywhere|author=Giorgio Maone|date=24 June 2011|publisher=hackademix.net|accessdate=2011-06-30}} 29. ^{{cite web|url=http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/|title=Hello ClearClick, Goodbye Clickjacking|author=Giorgio Maone|date=8 October 2008|publisher=hackademix.net|accessdate=2008-10-27}} 30. ^1 2 {{cite web|url=http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing)|title=Browser Security Handbook, Part 2, UI Redressing|author=Michal Zalevski|date=10 December 2008|publisher=Google Inc.|accessdate=2008-10-27}} 31. ^{{cite web|url=http://ha.ckers.org/blog/20090204/clickjacking-and-guardedid/|title=Clickjacking and GuardedID ha.ckers.org web application security lab|author=Robert Hansen|date=4 February 2009|accessdate=2011-11-30}} 32. ^{{cite web|url=http://research.microsoft.com/en-us/um/people/helenw/papers/gazelleSecurity09.pdf|title=The Multi-Principal OS Construction of the Gazelle Web Browser|last=Wang|first=Helen J.|authorlink=Helen J. Wang|last2=Grier|first2=Chris|date=August 2009|publisher=18th Usenix Security Symposium, Montreal, Canada|accessdate=2010-01-26|last3=Moschchuk|first3=Alexander|last4=King|first4=Samuel T.|last5=Choudhury|first5=Piali|last6=Venter|first6=Herman}} 33. ^{{cite web|url=http://hackademix.net/2009/01/27/ehy-ie8-i-can-has-some-clickjacking-protection/|title=Hey IE8, I Can Has Some Clickjacking Protection|author=Giorgio Maone|date=27 October 2008|publisher=hackademix.net|accessdate=2008-10-27}} 34. ^{{cite web|url=http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx|title=IE8 Security Part VII: ClickJacking Defenses|author=Eric Lawrence|date=27 January 2009|accessdate=2010-12-30}} 35. ^{{cite web|url=http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx|title=Combating ClickJacking With X-Frame-Options|author=Eric Lawrence|date=30 March 2010|accessdate=2010-12-30}} 36. ^{{cite web|url=http://blogs.zdnet.com/security/?p=3541|title=Apple Safari jumbo patch: 50+ vulnerabilities fixed|author=Ryan Naraine|date=8 June 2009|accessdate=2009-06-10}} 37. ^https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header The X-Frame-Options response header — MDC 38. ^{{cite web|url=https://blog.chromium.org/2010/01/security-in-depth-new-security-features.html|title=Security in Depth: New Security Features|author=Adam Barth|date=26 January 2010|accessdate=2010-01-26}} 39. ^{{cite web|url=http://www.opera.com/docs/specs/presto26/#network|title=Web specifications support in Opera Presto 2.6|date=12 October 2010|accessdate=2012-01-22}} 40. ^{{cite web|url=http://www.rfc-editor.org/rfc/rfc7034.txt|title=HTTP Header Field X-Frame-Options|year=2013|publisher=IETF}} 41. ^{{cite web|url=https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options|title=Content Security Policy Level 2|year=2016|publisher=W3C}} 42. ^{{cite web|url=https://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html|title=lcamtuf's blog: X-Frame-Options, or solving the wrong problem}} 43. ^{{cite web|url=http://www.w3.org/TR/CSP11/#frame-ancestors-and-frame-options|title=Content Security Policy Level 2|date=2014-07-02|website=w3.org|accessdate=2015-01-29}} 44. ^{{cite web|url=https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet|title=Clickjacking Defense Cheat Sheet|accessdate=2016-01-15}} </div></td> </tr> <tr> <td width="61" align="center">随便看</td> <td> <ul class="random"> <li><a target="_blank" href="11557931.html">William Bodrugan (English politician)</a></li> <li><a target="_blank" href="11557932.html">William Bodrugan (fl.1384-1401)</a></li> <li><a target="_blank" href="11557933.html">William Bodrugan (fl. 1384–1401)</a></li> <li><a target="_blank" href="11557934.html">William Bodrugan (fl. 1420–1433)</a></li> <li><a target="_blank" href="11557935.html">William Bodrugan II</a></li> <li><a target="_blank" href="11557936.html">William Bodrugan (MP)</a></li> <li><a target="_blank" href="11557937.html">William Bodrugan (MP fl.1384-1401)</a></li> <li><a target="_blank" href="11557938.html">William Bodrugan (MP fl.1420-1433)</a></li> <li><a target="_blank" href="11557939.html">William Bodrugan (MP for Cornwall)</a></li> <li><a target="_blank" href="11557940.html">William Bodrugan (MP for Dunheved)</a></li> <li><a target="_blank" href="11557941.html">William Bodrugan (MP for Helston)</a></li> <li><a target="_blank" href="11557942.html">William Bodrugan (MP for Launceston)</a></li> <li><a target="_blank" href="11557943.html">William Bodrugan (MP for Lunceston)</a></li> <li><a target="_blank" href="11557944.html">William Bodrugan (priest)</a></li> <li><a target="_blank" href="11557945.html">William Boeing, Jr.</a></li> <li><a target="_blank" href="11557946.html">William Boericke</a></li> <li><a target="_blank" href="11557947.html">William Boetcker</a></li> <li><a target="_blank" href="11557948.html">William Bogart (disambiguation)</a></li> <li><a target="_blank" href="11557949.html">William Bole</a></li> <li><a target="_blank" href="11557950.html">William Bolitho</a></li> <li><a target="_blank" href="11557951.html">William Bolitho Ryall</a></li> <li><a target="_blank" href="11557952.html">William Bolt</a></li> <li><a target="_blank" href="11557953.html">William Bolton (dean)</a></li> <li><a target="_blank" href="11557954.html">William Bolton (disambiguation)</a></li> <li><a target="_blank" href="11557955.html">William Bolton (Lord Mayor)</a></li> </ul> </td> </tr> </table> 　 开放百科全书收录14589846条英语、德语、日语等多语种百科知识，基本涵盖了大多数领域的百科知识，是一部内容自由、开放的电子版国际百科全书。　 <div class="foot">Copyright © 2023 OENC.NET All Rights Reserved 京ICP备2021023879号 更新时间：2024/11/16 16:15:08<script src="Images/tongji.js" type="text/javascript"></script></div> </body> </html>