Shulou(Shulou.com)06/01 Report--

How to detect website hijacking?

IIS7 website monitoring

Detect whether the website is hijacked, DNS pollution detection, website opening speed detection and other information.

How to prevent HTTP hijacking?

According to the timing of the fight against HTTP hijacking, it can be divided into three main categories.

Prior encryption

Evade in the event

Ex post masking

So next, let's talk about it one by one.

Prior encryption

HTTPS

The main reason for a large part of HTTP hijacking is that the data is transmitted in plaintext. After using HTTPS, TLS is added to the HTTP protocol to protect the transmitted data, so that the transmitted data is encrypted. But when using HTTPS, we must pay attention to the specification. HTTPS must be used throughout the station, otherwise as long as there is a place where HTTPS is not used, plaintext transmission is likely to be hijacked by HTTP.

But correspondingly, the full use of HTTPS also brings some problems:

Performance may be degraded because of the 2 RTT latency caused by the TLS handshake (but HTTP2 based on HTTPS can improve performance more effectively)

Because operators may use DNS hijacking, under DNS hijacking, HTTPS services are completely useless, so it will lead to white screen.

Encryption agent

The principle of the encryption agent is to add a proxy server between the user side and the target web server, and there will be a node of the operator between the user and the agent. Here, various encryption methods are used to ensure security. HTTP requests are used between the proxy server and the web service. As long as you confirm that the proxy and the web service will not be hijacked by HTTP, you can avoid HTTP hijacking.

In-process encryption

Split HTTP request packet

In the step of HTTP hijacking, the first step is to mark the TCP connection, so as long as the identity is avoided, subsequent operator tampering will not exist. One way is to split the HTTP request.

To split a packet is to split the packet of the HTTP request into several. The bypass device of the operator will not be marked because it does not have a complete TCP/IP protocol stack, while the target web server has a complete TCP/IP protocol stack, which can be assembled into a complete HTTP request and does not affect the service.

Ex post masking

Through the browser Api, the nodes in DOM are matched according to some rules, and the matched nodes are intercepted and hidden.

CSP (content Security Policy), DOM event listening, etc.

CSP is a layer of security attached to browsers to combat cross-site scripting and data injection. The nature of operator implanted content is similar to data injection, so CSP can be used to combat operator hijacking. The ability to intercept and report hijacking information is supported by setting rules in the HTTP response header or meta tag.

DOM event listeners mainly listen for DOMNodeInserted, DOMContentLoaded, DOMAttrModified and other events. Callbacks can be triggered when the front-end DOM structure changes. Some detection logic is added to determine whether it is the normal UI logic of the business. If not, it can be considered to be from hijacking.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.