信息网络安全

信息网络安全 ›› 2016, Vol. 16 ›› Issue (3): 15-20.doi: 10.3969/j.issn.1671-1122.2016.03.003

• • 上一篇    下一篇

针对HTTPS的Web前端劫持及防御研究

赵国锋(), 陈勇, 王新恒   

  1. 重庆邮电大学通信学院,重庆 400065
  • 收稿日期:2016-01-18 出版日期:2016-03-25 发布日期:2020-05-13
  • 作者简介:

    作者简介: 赵国锋(1972--),男,陕西,教授,博士.主要研究方向为网络测量,网络安全等;陈勇(1990--),男,重庆,硕士研究生,主要研究方向为网络安全;王新恒(1988--),男,山东,博士研究生,主要研究方向为网络安全.

  • 基金资助:
    国家自然科学基金青年基金[61402065];江苏省未来网络前瞻项目[BY2013095-5-7,BY2013095-2-3]

Research on the Web Front-end Hijacking and Defense against HTTPS

Guofeng ZHAO(), Yong CHEN, Xinheng WANG   

  1. College of Communication, Chongqing University of Posts and Telecommunications, Chongqing 400065, China
  • Received:2016-01-18 Online:2016-03-25 Published:2020-05-13

RichHTML

6

PDF (PC)

319

摘要:

文章针对HTTPS协议通信流程,详细分析了基于伪造证书与中间人会话劫持的基本方法及原理,指出了常用劫持方法通过后端来操控原始数据流量时的缺陷,并重点提出了一种基于前端XSS脚本注入的更高效的HTTPS会话劫持方法,实现了表单提交,动态元素,脚本弹窗,框架页面的劫持.最后详细阐述了Web前端劫持方法的实现原理与流程,并搭建原型系统进行验证,进一步分析给出了 HTTPS 通信的安全隐患,提出了可行的防范措施.

关键词: HTTPS, 会话劫持, XSS, 前端劫持, 动态元素

Abstract:

This paper discusses the HTTPS protocol communication process, analyzes the basic principles and methods in detail based on forged certificates and man in the middle session hijacking. Then it points out that conventional hijacking method through the backend to manipulate the original data flow and defects, and puts forward a front-end scripting XSS based on injection of more efficient and more perfect HTTPS session hijacking method, which can realize the hijacking of the form submission, dynamic elements, the script window, and the page frame. Finally it expounds the priciple and process the Web front-end hijacking, builds a prototype system to validate, and makes a further analysis of the HTTPS communication security risks. According to the present situation, it also puts forward feasible preventive measures.

Key words: HTTPS, session hijacking, XSS, front-end hijacking, dynamic element

中图分类号: