Research on the Web Front-end Hijacking and Defense against HTTPS

doi:10.3969/j.issn.1671-1122.2016.03.003

Abstract

Abstract:

This paper discusses the HTTPS protocol communication process, analyzes the basic principles and methods in detail based on forged certificates and man in the middle session hijacking. Then it points out that conventional hijacking method through the backend to manipulate the original data flow and defects, and puts forward a front-end scripting XSS based on injection of more efficient and more perfect HTTPS session hijacking method, which can realize the hijacking of the form submission, dynamic elements, the script window, and the page frame. Finally it expounds the priciple and process the Web front-end hijacking, builds a prototype system to validate, and makes a further analysis of the HTTPS communication security risks. According to the present situation, it also puts forward feasible preventive measures.

Key words: HTTPS, session hijacking, XSS, front-end hijacking, dynamic element

CLC Number:

TP309

Guofeng ZHAO, Yong CHEN, Xinheng WANG. Research on the Web Front-end Hijacking and Defense against HTTPS[J]. Netinfo Security, 2016, 16(3): 15-20.

Figures/Tables 12

References 11

[1]	张恒伽. 基于中间人攻击的 HTTPS 协议安全性分析[D].上海:上海交通大学,2009.
[2]	张恒伽,施勇,薛质. 基于SSLStrip 的 HTTPS 会话劫持[J]. 信息安全与通信保密,2009(10):80-82.
[3]	粱兴开. 基于脚本安全的防御技术研究[D].杭州:杭州电子科技大学,2012.
[4]	王立彦. HTTPS 协议中间人攻击的实现与防御[D].沈阳:东北大学,2011.
[5]	史蒂文斯.TCP/IP详解(卷3): TCP事务协议,HTTP,NNTP和UNIX域协议[M].胡谷雨,译.北京:机械工业出版社.2000
[6]	阳风帆,刘嘉勇,汤殿华. 基于脚本注入的 HTTPS 会话劫持研究[J]. 信息网络安全,2015(3):59-63.
[7]	李冬萌. Web 前端安全问题的分析与防范研究[D].北京:北京邮电大学,2014.
[8]	王广. Web 前端的安全防护漫谈[J]. 计算机安全,2013(2):63-65.
[9]	小胡子哥.你所不知道的HSTS [EB/OL]. .
[10]	上野宣. 图解HTTP 双色印刷[M].北京:人民邮电出版社.2014.
[11]	寇亚洲. SSL密文会话分析与监控[D].北京:北京交通大学,2012.