Research of HTTPS Session Hijacking Based on Script Injection

doi:10.3969/j.issn.1671-1122.2015.03.012

Abstract

Abstract:

This article analyzes the common methods of HTTPS hijacking, the methods and technological process of fake certificate, vulnerabilities of the jumping between HTTP and HTTPS. It points out the pros and cons of these methods at the same time. The second method is widely used at present, the proxy server establish HTTP connections with the client using MITM and HTTPS connections with the real server in order to get the users’ secret information and forward the data. This method is useful in PC platform, but cannot work well in mobile platform, because the middle proxy needs to monitor the holly communication data, replace the HTTPS connections timely and also needs matching features speedy. But the mobile machine is short in this. At present, the raid developments of mobile terminal cause more and more attention of penetration test on the mobile terminal. In order to perform the HTTPS hijacking on the mobile terminal much better and solve the existing problems, this article puts forward a new HTTPS hijacking method based on script injection according to the principles of dSploit. It successfully transferred the replacing work that the middle must do to the client, and also improving the efficiency. This article expounds the process and principle of this method, exposes the obscure security problems concerned with https-based communication, and provides some defending measures against HTTPS hijacking.

Key words: HTTPS hijacking, dSploit, script injection, information security, MITM

CLC Number:

TP309

YANG Feng-fan, LIU Jia-yong, TANG Dian-hua. Research of HTTPS Session Hijacking Based on Script Injection[J]. Netinfo Security, 2015, 15(3): 59-63.

Figures/Tables 4

References 14

[1]	dSploit-Android网络渗透套件测试小计 [EB/OL]..
[2]	百度百科.SSL[EB/OL]. .
[3]	龙飞宇. SSL-Webmail中间人监测技术研究与实现[D].2010.
[4]	周萍,熊淑华,赵婧网关模式下的HTTPS协议监控[J].信息技术与信息化,2007,(06):45-46,106.
[5]	Joshi,Y,Das D, Saha S, Mitigating man in the middle attack over secure sockets layer[C]//Internet Multimedia Services Architecture and Applications (IMSAA), 2009 IEEE International Conference on, 9-11 Dec. 2009:1-5.
[6]	谢希仁. 计算机网络(第四版)[M].北京:电子工业出版社,2003.
[7]	欧阳江,李京力,刘嘉勇. SSL-Webmail中间人监测技术研究[J].信息安全通信保密,2012,(5):76-78.
[8]	张恒伽,施勇,薛质.基于SSLStrip的HTTPS会话劫持[J].信息安全与通信保密,2009,(10):80-82.
[9]	使用正则表达式匹配嵌套Html标签[EB/OL]. .
[10]	document.addEventListener理解[EB/OL]. .
[11]	DOM4的元素监控接口MutationObserver [EB/OL]..
[12]	乔艳飞. SSL安全分析以及中间人攻击和防范研究[D].北京:北京邮电大学,2013.
[13]	樊时凯,王敏.SSL通信的中间人攻击与防范[J].信息网络安全,2004,(9):57-58.
[14]	唐荣保,张玲,兰昆. SSL中间人攻击分析与防范[J].信息安全与通信保密,2010,(3):85-87,90.

[1]	WANG Wei, HU Yongtao, LIU Qingtao, WANG Kailun. Research on Softwaization Techniques for ERT Trusted Root Entity in Railway Operation Environment [J]. Netinfo Security, 2024, 24(5): 794-801.
[2]	YAN Hailong, WANG Shulan. Design and Implementation of Integrated Service Platform for Real Estate Registration Based on Domestic Cryptographic Technology [J]. Netinfo Security, 2024, 24(2): 303-308.
[3]	LAI Chengzhe, ZHAO Yining, ZHENG Dong. A Privacy Preserving and Verifiable Federated Learning Scheme Based on Homomorphic Encryption [J]. Netinfo Security, 2024, 24(1): 93-105.
[4]	HU Yi, SHE Kun. Blockchain and Smart Contract Based Dual-Chain Internet of Vehicles System [J]. Netinfo Security, 2022, 22(8): 26-35.
[5]	YU Kechen, GUO Li, YIN Hongwei, YAN Xuesong. The High-Value Data Sharing Model Based on Blockchain and Game Theory for Data Centers [J]. Netinfo Security, 2022, 22(6): 73-85.
[6]	LI Li, LI Zequn, LI Xuemei, SHI Guozhen. FPGA Realization of Physical Unclonable Function Based on Cross-coupling Circuit [J]. Netinfo Security, 2022, 22(3): 53-61.
[7]	SONG Jing, DIAO Run, ZHOU Jie, QI Jianhuai. The Optimization Method of Industrial Control System Functional Safety and Information Security Policy [J]. Netinfo Security, 2022, 22(11): 68-76.
[8]	MENG Xi. Study on Counter Intelligence Mechanism and Optimization Strategy for Network Information Security [J]. Netinfo Security, 2022, 22(10): 76-81.
[9]	HU Bowen, ZHOU Chunjie, LIU Lu. Coordination of Functional Safety and Information Security for Intelligent Instrument Based on Fuzzy Multi-objective Decision [J]. Netinfo Security, 2021, 21(7): 10-16.
[10]	YU Kechen, GUO Li, YAO Mengmeng. Design of Blockchain-based High-value Data Sharing System [J]. Netinfo Security, 2021, 21(11): 75-84.
[11]	ZHANG Minqing, ZHOU Neng, LIU Mengmeng, KE Yan. Research on Reversible Data Hiding Technology in Homomorphic Encrypted Domain [J]. Netinfo Security, 2020, 20(8): 25-36.
[12]	Yihua ZHOU, Zhuqing LV, Yuguang YANG, Weimin SHI. Data Deposit Management System Based on Blockchain Technology [J]. Netinfo Security, 2019, 19(8): 8-14.
[13]	Lin LI, Xuxia ZHANG. National Secret Substitution of zk-snark Bilinear Pair [J]. Netinfo Security, 2019, 19(10): 10-15.
[14]	Min ZHANG, Chunxiang XU, Minying HUANG. Research on Multi-server Lightweight Multi-factor Authentication Protocol in Telemedicine Environment [J]. Netinfo Security, 2019, 19(10): 42-49.
[15]	Yan CHEN, Jianyong GE, Jing LAI, Zhen LU. Security System of the Information System in the Cloud [J]. Netinfo Security, 2018, 18(4): 79-86.