Briefly explain the concept of hijacking HTTP and DNS hijacking, which is the operator in some way tampered with normal web users access, insert advertising or some other assorted stuff.
First of hijacking operators do some analysis, their sole purpose is to make money, make money in two ways:
1, additional advertising on the normal site, which includes a floating layer within a web page or pop-up ads;
2, for a number of sites with ad network or affiliate link, join to promote tail. Such as the common access Baidu home page, is to jump to the front http://www.baidu.com/?tn=90509114_hao_pg
In the specific approach, generally divided into HTTP and DNS hijacking hijacking.
DNS hijacking:
In general, users of the Internet DNS servers are assigned by the carrier, so in this node, operators can do whatever they want.
For example, access http://jiankang.qq.com/index.html, it should return to normal DNS Tencent ip, and after DNS hijacking, returns a carrier intermediate server ip. Access the server will return 302 of consistency, so that the user's browser to jump to the page with a good pre-advertising, re-open the original address of the user access via an iframe on that page.
HTTP hijacking:
The router node operator is provided protocol detection, if it is found an HTTP request, and the request type is html, the interception process. Subsequent practice often divided into two kinds, one kind of similar DNS returns hijacking browser 302 allows users to jump to another address, there is one kind or inserted dom node js (ad) in the HTML data returned by the server.
In the user's perspective, these hijacked performance is divided into:
1, the URL is innocent jump, more to promote tail;
2, additional advertising (iframe mode or inserted directly dom nodes in the same page) page appears.
Approach:
1, the first external network to do testing, reporting the situation hijacked.
For my business, plus the promotion of the tail does not make sense, then the rest of the implant issue advertising. Page ads may also be necessary to check in both cases by way home via an iframe dom node way.
window.addEventListener('DOMNodeInserted', checkDivHijack);
function checkDivHijack(e) {
var html = e ? (e.srcElement.outerHTML || e.srcElement.wholeText) : $('html').html();
var reg = /http:\/\/([^\/]+)\//g;
var urlList = html.match(reg);
if (!urlList || urlList.length == 0) {
return;
}
reg = /^http:\/\/(.*\.qq\.com|.*\.gtimg\.cn|.*\.qlogo\.cn|.*\.qpic\.cn|.*\.wanggou\.com)\/$/;
var hijack = false;
for (var i = 0; i < urlList.length; i++) {
if (!reg.test(urlList[i])) {
hijack = true;
break;
}
}
}(Note: Later inspection found that the url is not stringent enough, although the situation can be found in the hijacking, but also some of the original product is normally inserted to make a false hijacking such as <a href = "http://jiankang.qq.com. "data-id =" 1 ">, but this is a small detail, the regular expression about perfect on ok)
2, for the case of iframe is loaded, you need to find the hijacking laws set by the operator.
Web page in an iframe normally open, rather than add iframe has been intercepted, possibly because the request url or cookie on operators to do the marking. We can use this rule, survived the hijacking.
3, for the case of injecting dom node, check-ups initialization, and follow-up check-ups are also injected dom. You can check http link dom if they contain other than white list, if any, can be determined as http hijacking.
4, approach other than the front end as well
a) all return packets terminal block, is determined from the blacklist ip (intermediate hijacked ip) returns the packet is discarded.
The reason for this approach is that the operators hijack http request, the request packet is not entirely discarded, but to do replication, continue to send a target server, in addition to doing a deal with hijacking direct return 302. Because the 302 will return much earlier than normal target server, the user's browser will only recognize the first 302, but dropped after the return to normal.
If the first discarding the first 302, wait for subsequent return to normal, the problem is solved.
b) the terminal block request packet, and transmits unpacking.
Operators generally determines whether or hijacking, by determining whether the HTTP request. Usually only detect the first packet after the TCP connection is established, if it is a complete HTTP protocol will not be marked; if not a complete HTTP protocol, unable to get enough information hijacking, and thus would not HTTP protocol is labeled.
So, as long as the request packet sliced thin enough to elude a part of hijacking (if the operator learning "wall" great efforts to do more packet interception Meizhe).
5, of course, ultimately, the fundamental solution is to use HTTPS, but this involves modifying a lot of business, higher costs. If you hijack a small proportion, perhaps better through appropriate remedial practice.
Take a look at hijacking cases detected:
Overall pv 15 million of business a day, yet there are 1 million hijacking report, even if the exclusion of half of the false positives, also said that 20 representatives of users, it has a user approaching the situation appears to be hijacked.
Visible, a variety of small operators (especially mobile) heart is how black! How much is courage!
Various means have hijacked:
1, returning HTML directly with advertising;
2, is inserted in the original html js, and then placed ads js script;
3, iframe to show the original normal web page.
All kinds of ugly faces are recorded:
Transfer from https://www.cnblogs.com/kenkofox/p/4919668.html
