Website browsing Security

Web spoofing is a very dangerous and imperceptible hacker attack method. In a general sense, it targets individual users who browse the Web page, illegal acquisition or destruction of privacy and data of individual users. It threatens normal Web browser users, including Netscape Navigator users and Microsoft Internet Explorer users.

1. Deception

If attackers want to perform Web spoofing, they cannot do without the support of Web servers. Therefore, in most cases, they set up their own Web servers between attackers and Web servers, this type of attack is called an attack from the center in security issues ". The data exchange between the user's browser and the real server is not direct and will be intercepted and processed by the attacker's server. Fraudulent use of intermediate servers is like a criminal driving a stolen police car to "perform official duties", so it is quite concealed. Attackers are almost unaware of the attack because they can still freely log on to and link to all pages of the website. For attackers, while secretly monitoring and intercepting information, they can also send data to the real Web server in the name of the attacker, including sending data to the attacker in the name of the server.

When a user accesses such a website and carries out reasonable activities, it may not be a real target website, but a copy or virtual image of a real site created by an attacker, the similarities between them do not make us feel a potential threat. At this time, all your registration information, Logon account passwords, and even all activities, from the entrance of this image to the Web server controlled by attackers. Attackers can monitor, record, modify all information and conduct destructive activities.

For example, information such as the user password and account entered in the form will be obtained online and leaked. When you access an online bank, you may extract or deposit a certain amount of deposits from the account of the bank based on the Web page of the bank you see. Because you believe that the Web page you visit is the Web page of the bank you need. Whether it is the page layout, image logo, link address, text content or other related content, you are very familiar with it, there is no reason not to believe it. However, you are indeed in a forged page created by an attacker.

II. Implementation Process

1. entice users into the intermediate server controlled by attackers

When an attacker needs to provide a wrong Web page about a Web site on the Web server, he only needs to create a copy of the site on his server, instead of storing the content of the entire real server site, rewrite this copy to obtain all the page images on the Real Server.

First, attackers rewrite all the URLs in the copy to direct them to the attacker's server rather than the real server. Suppose the attacker's Web server is www .???. Com, attackers add www .???. Com to rewrite the URL. For example, abc.efg.com will be changed to www .???. Com/abc.efg.com. When the user clicks the modified abc.efg.com, it is indeed: www .???. Then, the intermediate server sends a request to abc.efg.com to obtain the real document, then rewrite all links in the documentHttp: // www .???. ComThe browser returned to the user.

It can be seen that when a user logs on to the target site through the modified link, the user actually requests the document from the intermediate server before requesting the document from the target server. The document returned by the target server must go through the intermediate server, all links are rewritten before being sent back to the user's browser. Obviously, all URLs in the modified document point to www .???. Com. When a user clicks any link, the page is directly displayed, instead of directly accessing the real website. As long as users access other web pages, they will never get rid of the possibility of being attacked.

If a form in a webpage is forged, it may constitute form spoofing. The confirmation information of the form is encoded in the link address line, and the content is returned in HTML format. As mentioned above, the URLs of all pages have been rewritten, and form spoofing is a natural thing.

After an attacker submits a form, the submitted data enters the attacker's server. The attacker's server can observe or even modify the submitted data. Similarly, after obtaining the Real Server Response Information, the attacker will return the information to the attacker.

2. Publish the spoofing page

Web attackers must try to lure users into accessing and clicking the Web traps they set. Hackers often use the following methods:

(1) Place the wrong Web link on a popular Web site;

(2) If attackers use HTML-based emails, they can send forged Web pages to users by email;

(3) create an incorrect Web index and instruct the search engine;

(4) spread website URLs containing incorrect links in public network scenarios, such as BBS, OICQ, forums or chat rooms.

Iii. How to Prevent

1. For individual users

(1) view source files

The attacker does not leave no trace, and the HTML source file will expose such spoofing completely. By right-clicking or clicking "View" and "source file" in the browser, you can read the current HTML source file. You can find the URL Information on the current page and compare it with the actual address on the web page. You can find the modified URL, so you can detect the danger.

For example, if you receive an HTML letter from the 263 post office and view the source file, it is easy to find that there are forged traces.

Therefore, it is recommended that you do not log on to a security site through a Web site with unknown experience, such as logging on to the 263 server through a personal site. Websites obtained by search engines or from other occasions should be carefully screened to prevent fraud.

(2) disable the javascript function in the browser.

Various attacker servers and pages contain a large number of javascript scripts to achieve their ulterior motives. In this case, you can disable or change the javascript function to a prompt before use.

In IE, click "Tools", "Internet Options", and switch to "security" tab "Custom Level". The "Security Settings" dialog box is displayed, select "forbidden" for the javascript function ".

(3) Make sure that the browser connection prompt status is visible, and it will provide you with all kinds of information about the current location;

(4) carefully observe the URL link you have clicked. It is usually correctly displayed in the status bar or in the address bar.

2. for Servers

Individual users can't do anything about the server. Here we only provide you with some server-side security prevention measures, hoping to give some helpful tips to managers of personal websites.

Web server security prevention measures: Restrict accounts opened on Web servers, and regularly delete users that have not logged on for a long time. For accounts opened on Web servers, make requirements on the password length of the registered user and prompt regular changes to prevent potential risks caused by theft. Try to separate Ftp Mail and other servers from the Web server; Regularly view log files on the server, analyze all suspicious events; set the permissions and attributes of system files on the Web server; do not place the Web server and FTP directory in the same directory; make necessary time to access the user's IP address or DNS; if CGI programs are used, they should be placed in a CGI-BIN independent of HTML storage directories; if possible, popen (), system () should be used to write CGI programs in C () and all shell commands involving/bin/sh.

In addition, the compilation language (CGI, PERL, etc.) is safer than the Interpretation Language (PHP, JSP, etc. As for some security vulnerabilities of many Web servers, they are not the scope of this article. Interested readers can refer to relevant materials.