Netinfo Security ›› 2015, Vol. 15 ›› Issue (3): 59-63.doi: 10.3969/j.issn.1671-1122.2015.03.012

Previous Articles     Next Articles

Research of HTTPS Session Hijacking Based on Script Injection

YANG Feng-fan1, LIU Jia-yong1(), TANG Dian-hua2   

  1. 1.College of Electronics and Information Engineering, Sichuan University, Chengdu Sichuan 610064, China
    2.Science and Technology on Communication Security Laboratory , Chengdu Sichuan 610041, China
  • Received:2014-11-15 Online:2015-03-10 Published:2015-05-08

Abstract:

This article analyzes the common methods of HTTPS hijacking, the methods and technological process of fake certificate, vulnerabilities of the jumping between HTTP and HTTPS. It points out the pros and cons of these methods at the same time. The second method is widely used at present, the proxy server establish HTTP connections with the client using MITM and HTTPS connections with the real server in order to get the users’ secret information and forward the data. This method is useful in PC platform, but cannot work well in mobile platform, because the middle proxy needs to monitor the holly communication data, replace the HTTPS connections timely and also needs matching features speedy. But the mobile machine is short in this. At present, the raid developments of mobile terminal cause more and more attention of penetration test on the mobile terminal. In order to perform the HTTPS hijacking on the mobile terminal much better and solve the existing problems, this article puts forward a new HTTPS hijacking method based on script injection according to the principles of dSploit. It successfully transferred the replacing work that the middle must do to the client, and also improving the efficiency. This article expounds the process and principle of this method, exposes the obscure security problems concerned with https-based communication, and provides some defending measures against HTTPS hijacking.

Key words: HTTPS hijacking, dSploit, script injection, information security, MITM

CLC Number: