信息网络安全 ›› 2015, Vol. 15 ›› Issue (3): 59-63.doi: 10.3969/j.issn.1671-1122.2015.03.012

• 技术研究 • 上一篇    下一篇

基于脚本注入的HTTPS会话劫持研究

阳风帆1, 刘嘉勇1(), 汤殿华2   

  1. 1.四川大学电子信息学院,四川成都,610064
    2.保密通信重点实验室,四川成都,610041
  • 收稿日期:2014-11-15 出版日期:2015-03-10 发布日期:2015-05-08
  • 作者简介:

    作者简介: 阳风帆(1990-),男,陕西,硕士研究生,主要研究方向:网络通信与网络安全;刘嘉勇(1962-),男,四川,教授,博士,主要研究方向:信息安全理论与应用、网络信息处理与信息安全;汤殿华(1986-),重庆,工程师,主要研究方向:同态加密、云计算安全。

  • 基金资助:
    保密通信重点实验室基金项目资助[9140C110401140C11053]

Research of HTTPS Session Hijacking Based on Script Injection

YANG Feng-fan1, LIU Jia-yong1(), TANG Dian-hua2   

  1. 1.College of Electronics and Information Engineering, Sichuan University, Chengdu Sichuan 610064, China
    2.Science and Technology on Communication Security Laboratory , Chengdu Sichuan 610041, China
  • Received:2014-11-15 Online:2015-03-10 Published:2015-05-08

摘要:

文章研究了目前主流的针对HTTPS会话劫持的手段,详细分析了基于伪造证书与HTTP跳转HTTPS漏洞而进行的劫持方法与流程,同时也给出了这些方法存在的优劣。目前广泛使用的方法是基于HTTP与HTTPS间的跳转漏洞,代理服务器利用中间人攻击与客户端建立HTTP连接,与服务器建立HTTPS连接,从而对整个数据流进行中转,获取用户通信数据。该种方法在PC端能够奏效,但移植到移动终端却效果不佳,主要是由于该种方法需要中间代理服务器对整个数据流进行监控,及时替换掉服务器响应中的HTTPS跳转,这就需要快速的匹配与转发。但是移动终端处理能力有限,很难达到这样的目的。目前,移动终端发展迅速,用户使用量逐渐增大,越来越的人注意到移动端的渗透测试。为了更好的在移动终端实现HTTPS的会话劫持,解决中间节点处理瓶颈问题。文章在dSploit的实现原理基础上,结合移动终端特定环境,提出了一种基于脚本注入的HTTPS会话劫持方法,有效的将中间人所需的替换工作转移到用户端进行,有效提高了中间端的处理性能。文章详细阐述了其实现原理与流程,更进一步分析出了HTTPS通信中可能存在的安全隐患,并对此提供了可行的防范措施。

关键词: HTTPS劫持, dSploit, 脚本注入, 信息安全, 中间人攻击

Abstract:

This article analyzes the common methods of HTTPS hijacking, the methods and technological process of fake certificate, vulnerabilities of the jumping between HTTP and HTTPS. It points out the pros and cons of these methods at the same time. The second method is widely used at present, the proxy server establish HTTP connections with the client using MITM and HTTPS connections with the real server in order to get the users’ secret information and forward the data. This method is useful in PC platform, but cannot work well in mobile platform, because the middle proxy needs to monitor the holly communication data, replace the HTTPS connections timely and also needs matching features speedy. But the mobile machine is short in this. At present, the raid developments of mobile terminal cause more and more attention of penetration test on the mobile terminal. In order to perform the HTTPS hijacking on the mobile terminal much better and solve the existing problems, this article puts forward a new HTTPS hijacking method based on script injection according to the principles of dSploit. It successfully transferred the replacing work that the middle must do to the client, and also improving the efficiency. This article expounds the process and principle of this method, exposes the obscure security problems concerned with https-based communication, and provides some defending measures against HTTPS hijacking.

Key words: HTTPS hijacking, dSploit, script injection, information security, MITM

中图分类号: