Website traffic hijacking Prevention Measures

A few days ago, when I opened the 163 homepage online, I found a border at the bottom of the page inexplicably displayed. This has never been done before, and it is impossible to have such an ugly design in the future.

Curious, right-click the review element on the border immediately. Nima, I don't know. When will HTML on Netease's homepage become so inferior?

There is no doctype declaration, and no title element exists. Script or language = JScript style, which has to be traced back to how many centuries ago ~ The worst thing is the framework or the <frameset> element...

　　

Needless to say, this is obviously not a Netease page. The ad on the page has already been purchased. This is an advertisement page!

 

It has long been common for hijacking.

The hijacking of advertisements on the Web page exists in the era when two yuan of oil price rises. The end of the world still exists, indicating that the benefits are huge.

You don't need to calculate it. Just use your fingers to estimate it. I have hundreds of millions of computers and mobile phone users, and there are countless webpages opened every day. Even if you insert an advertisement on 1% of webpages, there are hundreds of millions of presentations. The business opportunities are self-evident...

Although this is helpless, as long as the advertisement inserted does not affect normal internet access, there is no opinion. If the level is high enough, it can be disguised as the original advertisement on the page, at least in the form of the same, can not see any flaws. In this way, we will not only admire BS.

However, the various ad hijacking codes we have seen so far are inferior. This time, we saw a fighter in the garbage. If you look for a Web Editor, The automatically generated HTML is much better than this. If you look for some css, you will not see it as a fake webpage at a glance. Nima's work is in the dark, but there is no simple encryption obfuscation, and there is still bright and clear text with the words of the advertisement. Isn't this the lower limit of the IQ of the red fruit show?

However, since we have spent some time talking about this, we will discuss further future changes.

　　

　　

Lv1. currently, the most common practice is to put a hijacked webpage in its own shell.

In fact, the purpose of doing so is very clear, so that the advertisement is displayed at the top of the browser. To achieve this effect,The advertisement is displayed in the lower right corner of the page, covering the scroll bar of the hijacked page. It looks like it is floating outside the browser!

At first glance, I thought it was a pop-up message box for software such as QQ. HoweverAs long as you exit the browser window to maximize the value, drag the window and the advertisement will also move :)Fake Li GUI instantly becomes invisible!

　　

Preventive Measures

This hijacking is completely technical, and anti-hijacking is quite easy. Check whether window. top is in the valid URL list on your webpage. If not, it cannot be embedded in other webpages. A better way is to submit the top address to the backend server and calculate which websites have their own pages.

Lv2. insert external links into the returned webpage <script>

This method is much more concealed than previously, at least not to replace the source file of the webpage.

Of course, if you just insert <script> at the end of the page, you can still be instantly exposed and even report viruses, because this is a fake copy! Which normal webpage will be followed by

However, if you put it right, you can't see it at a glance. For example, the <script src = ""> plug in Preventive Measures

Generally, most of the inserted <script> are in the form of external links, so that the advertisement transformation will be more flexible. For such hijacking, it is necessary to use a principle similar to anti-virus software to scan suspicious modules.

No matter how the advertisement is inserted, static HTML will eventually be used to stay in the webpage. This cannot be erased!

When the webpage HTML is loaded and DOMContentLoaded is triggered, we can start to scan all the <script> labels in the DOM. If src is found not in the Trust List, the webpage may be injected with suspicious scripts!

We can submit the url of the suspicious script to the backend server for further authentication. If there is a risk, a warning box must be displayed to remind the user.

　　

Lv3. Insert the built-in <script>

Compared with external link scripts, the built-in scripts are much more difficult. There are always a few URLs for external links, which can be easily filtered. But the built-in scripts are ever changing! Random variable name, insert waste code, all kinds of mystery... However, the magic is a little too high ~

Preventive Measures

To easily deal with such hijacking, we must first set a default rule to identify the true and false script elements. We set a fixed tag for our <script> element, for example, <script myjs = "true">. Of course, the specific tag names and values change frequently. for hijacking programs, it is obvious that they do not know such a rule and still insert <script>... </script>.

Therefore, in the "", you can directly clean it...

　　

Lv4. Add the advertisement code in the <script> of the returned webpage

As the hijacking program continues to upgrade, the tactics will become increasingly harsh. Maybe one day, the hijacking program has a built-in html semantic analyzer that intelligently merges ad scripts into the original js of the page!

If this is the case, adding a signature to your script element will not help. Because the spy service has been deeply integrated into our system, it is difficult to identify the truth and false!

The most critical thing is that the script may not be placed in <script> </script>, or it may be an inline form of <element onxxx = "">... This is troublesome. I have to think about how to solve it...

Preventive Measures

In this case, we cannot find a simple method to identify it. The only way to go is to record the file Hash value when HTML is published. The value can be written to a webpage or stored in a database.

When the webpage content is loaded, we use ajax to read the content of the current page again (generally, the cached data of the current page is read ). Use the same algorithm to calculate the page verification value. When compared with the original value, you will know whether the page has been tampered with by a third party.

We can also send the tampered html to the background to find out the difference between strings, so that the technical staff can analyze what they have done.

Of course, this is limited to static Web pages.

　　

Lv5. Add the advertisement code in the external link script of the returned webpage

This is the ultimate article-it does not modify any HTML content at all!

However, general web pages need to link a few js files to external links. As a result, the scripts of the external chain become the fat meat of the fragrant grass!

Of course, you can also calculate the hash value of all js files in advance, just like verifying html, and then use ajax to re-read the data for authentication and comparison.

However, do not forget that the external link js path can be arbitrary, while ajax can only read the same origin site. In addition, the <script> of the external link cannot read its text content. So when we use js files outside the site, the hijacking program can freely mix in the code!

Preventive Measures

Due to the strict control of the sandbox policy, we cannot obtain the actual content in the external js, so: Go to top. Try not to use js files from external sites.

If your website is not the same domain name, you can use Flash URLLoader for cross-origin loading. You only need to deploy a crossdomain. xml file.

　　

Lv6. Replace the image content returned from the webpage with the advertisement Image

This type of traffic hijacking has exceeded human beings. Let's send a God to do it...

Preventive Measures

Theoretically, it can be completely solved. In fact, it's okay, but it's just a huge workload...

However, external link images can be directly read by Flash, regardless of the same source or cross-origin, so they can be compared with html and js. We use the binary file Hash, you can also verify whether the image data is hijacked.

Of course, you need to calculate the hash value of the images under or outside the site in advance. The client also needs to analyze the images used on the current page and verify them one by one. This is a painful process...

　　

========================================================== ====

Now, we are here to add new ideas or better solutions.

Do you have any clever Detection Methods? Please leave a message ~

As mentioned above, the essence of this is that on the client, the binary verification of the used resources and the original server resources will be sent back to the background record to identify security risks.

Although it seems that only advertisement scripts are embedded here, such scripts have the same permissions as other scripts on the page, so they can easily obtain users' cookies.

Embedded scripts can even be connected to the hacker console through WebSocket to send every action of your mouse and keyboard and the content displayed on the page. The other party can also remotely control the content, allows js to quietly perform various unexpected operations on the page