CN112311724B - Method, device, medium and equipment for positioning HTTP hijacking - Google Patents
Method, device, medium and equipment for positioning HTTP hijacking Download PDFInfo
- Publication number
- CN112311724B CN112311724B CN201910683809.1A CN201910683809A CN112311724B CN 112311724 B CN112311724 B CN 112311724B CN 201910683809 A CN201910683809 A CN 201910683809A CN 112311724 B CN112311724 B CN 112311724B
- Authority
- CN
- China
- Prior art keywords
- request
- hijacked
- hijacking
- response data
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The present disclosure relates to a method, an apparatus, a medium, and a device for locating HTTP hijacking, where the method for locating HTTP hijacking includes: receiving a detection task containing a target URL; sending a randomly constructed probe request to the target URL; receiving response data; judging whether the detection request is hijacked or not based on the response data; if the detection request is hijacked, detecting the hijacking equipment position. By randomly constructing the detection request, receiving and analyzing the response data, the method can quickly judge whether the device is hijacked or not, and detect the hijacked position and the hijacked equipment in one step.
Description
Technical Field
The present disclosure relates to network security, and in particular, to a method, apparatus, medium, and device for locating HTTP hijacking.
Background
With the rapid development of the internet, the world wide web realizes information transmission through an internet access mode, and a hypertext transfer protocol (HyperText Transfer Protocol) is called "HTTP" for short as a core of a website transfer protocol, and is also the most popular access service, which has huge traffic transmission. In the HTTP transmission process, the HTTP transmission can reach the client through a plurality of network devices (such as routers, switches, servers, etc.), and each device can be hijacked, so that the HTTP transmission is easy to be hijacked illegally, and immeasurable damages are achieved by means of content modification, illegal advertisement addition, and the like on the website.
In the related art, the following problems exist in coping with HTTP hijacking: the content which is difficult to sense and possibly hijacked is hidden or even appearing; the positioning is difficult, the hijacked equipment can be a certain equipment in the transmission process, and the equipment is not known which equipment carries out hijacking and serial change; the positioning time is too long, and long-time positioning checking is needed.
Disclosure of Invention
To overcome the problems in the related art, a method, apparatus, medium, and device for locating HTTP hijacking are provided herein.
According to a first aspect herein, there is provided a method of locating HTTP hijacking, comprising receiving a probe task comprising a target URL;
sending a randomly constructed probe request to the target URL;
receiving response data;
judging whether the detection request is hijacked or not based on the response data;
if the detection request is hijacked, detecting the hijacking equipment position.
The randomly constructed probe request includes: and randomly modifying information of the heads in the request, and taking the request modified with the information of the heads as a detection request.
The original data of the target URL is obtained before judging whether the detection request is hijacked or not based on the response data;
the determining whether the probe request is hijacked based on the response data includes:
comparing the response data with the original data, and judging that the detection request is hijacked if the response data is changed; or alternatively, the process may be performed,
and sending the response data to a management server, comparing the response data with original data stored in the management server, and judging that the detection request is hijacked if the response data is changed.
Said comparing said response data with said raw data comprises:
comparing the data packet sizes of the response data and the original data;
comparing the response data with the heads of the original data;
and comparing the content of the response data with the content of the original data.
If the detection request is hijacked, detecting the hijacking equipment position comprises:
sending different probe requests, traversing the maximum number of network devices experienced by the probe data packet to the target URL;
based on the maximum number, sending the same probe request as the hijacked probe request, and determining the position of the hijacked equipment by modifying TTL.
According to another aspect herein, there is provided an apparatus for locating HTTP hijacking, including a task receiving module: for receiving a probe task containing a target URL;
a request sending module: for sending a randomly constructed probe request to the target URL;
and a response receiving module: for receiving response data;
and a judging module: the method is used for judging whether the detection request is hijacked or not based on the response data;
and a detection module: and the device is used for detecting the hijacking equipment position when judging that the detection request is hijacked.
The randomly constructed probe request includes: and randomly modifying information of the heads in the request, and taking the request modified with the information of the heads as a detection request.
The device for locating HTTP hijacking further comprises an original data acquisition module: the method comprises the steps of acquiring original data of a target URL before judging whether the detection request is hijacked;
the judging module judging whether the probe request is hijacked includes:
comparing the response data with the original data, and judging that the detection request is hijacked if the response data is changed; or alternatively, the process may be performed,
and sending the response data to a management server, comparing the response data with original data stored in the management server, and judging that the detection request is hijacked if the response data is changed.
Said comparing said response data with said raw data comprises:
comparing the data packet sizes of the response data and the original data;
comparing the response data with the heads of the original data;
and comparing the content of the response data with the content of the original data.
The detecting module detecting the hijacking equipment position comprises:
sending different probe requests, traversing the maximum number of network devices experienced by the probe data packet to the target URL;
based on the maximum number, sending the same probe request as the hijacked probe request, and determining the position of the hijacked equipment by modifying TTL.
According to another aspect herein, there is provided a computer readable storage medium having stored thereon a computer program which when executed performs the steps of a method comprising:
receiving a detection task containing a target URL;
sending a randomly constructed probe request to the target URL;
receiving response data;
judging whether the detection request is hijacked or not based on the response data;
if the detection request is hijacked, detecting the hijacking equipment position.
According to another aspect herein, there is provided a computer device comprising a processor, a memory and a computer program stored on the memory, the processor implementing the steps of the method when executing the computer program:
receiving a detection task containing a target URL;
sending a randomly constructed probe request to the target URL;
receiving response data;
judging whether the detection request is hijacked or not based on the response data;
if the detection request is hijacked, detecting the hijacking equipment position.
The method for positioning HTTP hijacking enables a plurality of terminals distributed at different positions of a network to randomly construct detection requests to hit hijacking rules, actively detect target URL, collect response data, compare the response data with original data, find HTTP hijacking at the first time, and position hijacking positions, so that quick detection of hijacking and quick positioning of hijacking positions can be realized.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention as claimed.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, illustrate and explain the disclosure, and do not constitute a limitation on the disclosure. In the drawings:
fig. 1 is a flow chart illustrating a method of locating HTTP hijacking, according to an exemplary embodiment.
Fig. 2 is a block diagram illustrating an apparatus for locating HTTP hijacking, according to an example embodiment.
Fig. 3 is a block diagram illustrating an apparatus for locating HTTP hijacking, according to an example embodiment.
FIG. 4 is a block diagram of a computer device, according to an example embodiment.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments herein more apparent, the technical solutions in the embodiments herein will be clearly and completely described below with reference to the accompanying drawings in the embodiments herein, and it is apparent that the described embodiments are some, but not all, embodiments herein. All other embodiments, based on the embodiments herein, which a person of ordinary skill in the art would obtain without undue burden, are within the scope of protection herein. It should be noted that, without conflict, the embodiments and features of the embodiments herein may be arbitrarily combined with each other.
The present disclosure provides a method for locating HTTP hijacking, applied to a terminal, and fig. 1 is a flowchart of a method for locating HTTP hijacking, as shown in fig. 1, where the method for locating HTTP hijacking includes the following steps:
step S11, receiving a detection task containing a target URL;
step S12, sending a detection request with random structure to a target URL;
step S13, receiving response data;
step S14, judging whether the detection request is hijacked or not based on the response data;
step S15, if the detection request is hijacked, the hijacked device position is detected.
The terminal can be an IDC operator server or equipment of a network user, and the terminal is distributed at a plurality of positions of the network, so that the detection of the target website in the whole network range is realized.
In step S11, the detection task is issued by the management server, where the detection task includes a target URL to be detected, and the target URL may be determined according to the access amount of the website, because the greater the access amount, the more likely hijacking occurs.
Wherein, in step S12, the randomly constructed probe request includes: and randomly modifying information of the heads in the request, and taking the request modified with the information of the heads as a detection request. The network hijacking device hives the request on the network, the hijacking rules are set in advance by the hijack, and only the access request accords with the preset hijacking rules, for example, the hijacking is triggered only by the access request sent by the IE browser in the hijacking rules, and the hijacking is not triggered if the access request is sent by the google browser, so that in order to detect the possible hijacking device, the head information in the request is randomly modified when the detection request is sent, and the purpose is to hit the hijacking rules and find out the hijacking device. For example: the User-Agent of the normal request is Mozilla/5.0Chrome/74, and is changed into Mozilla/5.0Firefox/66, if the hijacking rule is specific to a Firefox fire fox browser, the access request can hit the hijacking rule by changing the name of the browser in the request, and the hijacking behavior is triggered.
In step S14, based on the response data, it is determined whether the probe request is hijacked, and the original data of the target URL is obtained; the original data is used as standard data, the unique credibility of the original data is required to be ensured not to be changed, and in order to ensure the accuracy of the original data, an encryption transmission channel is firstly established and used as data transmission. The encrypted transmission channel is transmitted by using a transmission layer security protocol TLS (Transport Layer Security), but not limited to TLS, and various encrypted channels such as SSH can be used to prevent hijacking in the transmission process. The original real final data is obtained through special line connection or local data to be stored, and the storage content comprises RequestHeader, responseHeaders, responseData in the HTTP protocol.
The original data can be stored in the management server, and can be simultaneously issued to the terminal when issuing the detection task, and the issued detection task and the original data also need to be issued through the encrypted transmission channel, so that the issued detection task and the issued original data are ensured not to be hijacked and tampered.
Based on the response data, determining whether the probe request is hijacked includes:
comparing the response data with the original data, and if the response data is changed, judging that the detection request is hijacked; if the original data is already stored in the terminal, the terminal can directly compare the response data with the original data; or the response data is sent to the management server, and compared with the original data stored in the management server, if the original data is changed, the detection request is judged to be hijacked. Some end users may not want to occupy their own storage space to store the original data, or may have accidents in the process of storing the original data, so that the original data is lost, and the terminal may send the original data to the management server, where the above determination is performed by the management server.
Comparing the response data with the original data includes:
comparing the data packet sizes of the response data and the original data; if the request is hijacked, the hijacking person can change the response data, the size of the data packet is very likely to change once the response data is changed, and whether the hijacking occurs can be quickly perceived by comparing the sizes of the data packets.
Comparing the response data with the heads of the original data; after a header request header of a certain request is sent to a target website, the target website responds to the request and returns a response, the response header ResponseHeaders are relatively determined, once the request is hijacked, the returned response header ResponseHeaders are likely to change, and whether the hijacking occurs can be quickly perceived by comparing whether the content of the returned response header and the content of the response header stored in the original data change. For example, assume that the Server field of the original Header is "naginx", and the value of the Server field after hijacking is "Apache".
The contents of the response data and the original data are compared. When the request is hijacked, the hijacking person can change the content of the response data, even if the size of the data packet of the response data is not changed, the content of the response header ResponseHeaders can be further compared to judge whether the request is hijacked or not. For example, after hijacking, key character strings may be newly added or modified or deleted on the original content, for example, a section of JS code is added to the original content, so as to achieve the purpose of controlling the operation behavior of the client.
In step S15, if it is determined that the probe request is hijacked, the probe hijacking device location includes:
sending different probe requests, traversing the maximum number of network devices experienced by the probe data packet to the target URL; the network station from the terminal to the target URL needs to traverse through a plurality of routing devices in the middle, for example, the router on the access path needs to traverse through a traceroute command, for example, the list and the number of internet protocol addresses (Internet Protocol Address, IP addresses for short) of the network devices through which the request data packet passes are traversed, but because of the possibility that the request data packet is hijacked, in the traversing process, the path with the largest network device among the paths from the terminal to the target URL, namely, the longest path of the routing graph is determined by sending different probe requests, so as to obtain the real routing graph, and of course, the obtaining mode of the routing graph is not limited to using traceroute.
Based on the maximum number, the same probe request as the hijacked probe request is sent, and the position of the hijacked equipment is determined by modifying TTL. After the maximum number of routing devices in the access path is determined, the probe request which is the same as the probe request to be hijacked is sent again, and because the probe request is hijacked, the probe request is proved to hit the hijacking rule and is hijacked again, the probe is gradually detected from TTL=n, n=1 by modifying TTL, n=n+1 is executed for each detection until returned response data is received, the position of the hijacked device at the nth device can be known according to the value of n at the moment, and further rapid investigation can be realized.
The method for positioning HTTP hijacking further comprises the following steps: and after the position of the hijacking equipment is determined and the hijacking equipment is repaired, sending a detection request to the same target URL. In some special cases, in an access link, there may be a situation that multiple devices are hijacked at the same time, where the hijacked device located according to the above method should be the network device closest to the client, after repairing the device, the whole link needs to be further detected, for example, the same detection request is sent first, then different detection requests with random structure are sent, and if the hijacking request is detected again, the investigation is continued until all devices in the link are completed.
For a better understanding of the methods herein, the following is exemplified:
in order to ensure network data security, the management server formulates a probing task for the current network situation, for example, the probing task includes probing the website example. The management server transmits the probing task to a different terminal to perform the probing task.
Taking a certain terminal as an example, after the terminal receives a detection task, the terminal initiates a request to an example website, and constructs a detection request, wherein the RequestHeader comprises 'GET/HTTP/1.1', 'Host: example website com', 'User-Agent: mozilla/5.0 Chrome/74'.
When the management Server issues the detection task, the correct original data is issued, and the original data can know that the normal response of the request initiated by the terminal is responsehaders, "HTTP/1.1 OK", "Server: nginx", and the content of the normal response is "< html > helloworld >".
If HTTP is hijacked, the responseHeaders of the response may be "HTTP/1.0 200 OK", "Server: apache", the content of the response may be "< html > hello world < script type=" text/javascript "
src= "http:// hacker.com/hit.js" </html > ". By comparing the data with the original data, the responseHeaders returned by the hijacked equipment are seen to change the HTTP protocol number, HTTP1.1 is changed into HTTP1.0, the responding Server is changed into Nginx, a dangerous JS file 'http:// hacker. Com/hit. JS' is added to the responding content, and meanwhile, the size of the responding data packet is also changed, so that the hijacked access can be judged.
Different request packets may then be sent for the example. Com website, traversing the maximum number of network devices experienced by the probe packet to the example. Com website, e.g. the maximum number is 13, i.e. the normal case table, from the terminal to the target website example. Com requires 13 devices to pass. The resend RequestHeader contains probe packets of "GET/HTTP/1.1", "Host: sample. Com", "User-Agent: mozilla/5.0Chrome/74", which hit the hijacking rule and are hijacked when resent because they hit the hijacking rule.
The Traceroute command can be used, and by modifying the TTL, the detection is gradually started from ttl=n, n=1, each detection is performed by n=n+1, and the error response is determined at which device is returned, so that the hijacked position is quickly positioned.
Fig. 2 is a block diagram illustrating an apparatus for locating HTTP hijacking, according to an exemplary embodiment, as shown in fig. 2, the apparatus for locating HTTP hijacking includes: the task receiving module 201, the request sending module 202, the response receiving module 203, the judging module 204 and the detecting module 205.
The task receiving module 201 is configured to receive a probe task including a target URL;
the request sending module 202 is configured to send a randomly constructed probe request to the target URL;
the response receiving module 203 is configured to receive response data;
the judging module 204 is configured to judge whether the probe request is hijacked based on the response data;
the detection module 205 is configured to detect hijacking device locations when it is determined that the detection request is hijacked.
The probe request randomly constructed by the request sending module 202 includes: and randomly modifying information of the heads in the request, and taking the request modified with the information of the heads as a detection request.
Fig. 3 is a block diagram illustrating an apparatus for locating HTTP hijacking, according to an exemplary embodiment, as shown in fig. 3, the apparatus for locating HTTP hijacking includes: the original data obtaining module 301 is configured to obtain original data of the target URL before determining whether the probe request is hijacked;
the determining module 204 determines whether the probe request is hijacked includes:
comparing the response data with the original data, and if the response data is changed, judging that the detection request is hijacked; or alternatively, the process may be performed,
and sending the response data to the management server, comparing the response data with the original data stored in the management server, and judging that the detection request is hijacked if the response data is changed.
Comparing the response data with the original data includes:
comparing the data packet sizes of the response data and the original data;
comparing the response data with the heads of the original data;
the contents of the response data and the original data are compared.
The detecting module detects the hijacking equipment position comprises:
sending different probe requests, traversing the maximum number of network devices experienced by the probe data packet to the target URL;
based on the maximum number, the same probe request as the hijacked probe request is sent, and the position of the hijacked equipment is determined by modifying TTL.
And when the position of the hijacking equipment is determined and the hijacking equipment is repaired, the request sending module sends a detection request to the same target URL.
Fig. 4 is a block diagram of a computer device 400 illustrating a method for locating HTTP hijacking, according to an example embodiment. For example, computer device 400 may be provided as a server. Referring to fig. 4, a computer device 400 includes a processor 401, the number of which may be set to one or more as needed. Computer device 400 also includes a memory 402 for storing instructions, such as application programs, that are executable by processor 401. The number of the memories can be set to one or more according to the requirement. Which may store one or more applications. The processor 401 is configured to execute instructions to perform the above-described method.
It will be apparent to one of ordinary skill in the art that embodiments herein may be provided as a method, apparatus (device), or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, including, but not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
The description herein is with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices) and computer program products according to embodiments herein. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that an article or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such article or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of additional identical elements in an article or apparatus that comprises the element.
While preferred embodiments herein have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all alterations and modifications as fall within the scope herein.
It will be apparent to those skilled in the art that various modifications and variations can be made herein without departing from the spirit and scope of the disclosure. Thus, given that such modifications and variations herein fall within the scope of the claims herein and their equivalents, such modifications and variations are intended to be included herein.
Claims (8)
1. The method for positioning HTTP hijacking is characterized by being applied to a terminal and comprising the following steps:
receiving a detection task containing a target URL;
transmitting a randomly constructed probe request to the target URL, the randomly constructed probe request comprising: randomly modifying information of a heads in the request, taking the request modified with the information of the heads as a detection request, so that the detection request hits hijacking rules, and triggering hijacking behavior;
receiving response data;
judging whether the detection request is hijacked or not based on the response data;
if the detection request is hijacked, detecting the position of hijacked equipment;
the original data of the target URL is obtained before judging whether the detection request is hijacked or not based on the response data;
the determining whether the probe request is hijacked based on the response data includes:
comparing the response data with the original data, and judging that the detection request is hijacked if the response data is changed;
if the detection request is hijacked, detecting the hijacking equipment position comprises:
sending different probe requests, traversing the maximum number of network devices experienced by the probe data packet to the target URL;
based on the maximum number, sending the same probe request as the hijacked probe request, and determining the position of the hijacked equipment by modifying TTL.
2. The method of locating HTTP hijacking of claim 1, wherein the comparing the response data with the original data comprises:
comparing the data packet sizes of the response data and the original data;
comparing the response data with the heads of the original data;
and comparing the content of the response data with the content of the original data.
3. The method of locating HTTP hijacking of claim 1, further comprising: and after the position of the hijacking equipment is determined and the hijacking equipment is repaired, sending a detection request to the same target URL.
4. An apparatus for locating HTTP hijacking, applied to a terminal, includes:
a task receiving module: for receiving a probe task containing a target URL;
a request sending module: for sending a randomly constructed probe request to the target URL, the randomly constructed probe request comprising: randomly modifying information of a heads in the request, taking the request modified with the information of the heads as a detection request, so that the detection request hits hijacking rules, and triggering hijacking behavior;
and a response receiving module: for receiving response data;
and a judging module: the method is used for judging whether the detection request is hijacked or not based on the response data;
and a detection module: the device is used for detecting the position of hijacking equipment when judging that the detection request is hijacked;
the original data acquisition module: the method comprises the steps of acquiring original data of a target URL before judging whether the detection request is hijacked;
the judging module judging whether the probe request is hijacked includes:
comparing the response data with the original data, and judging that the detection request is hijacked if the response data is changed;
the detecting module detecting the hijacking equipment position comprises:
sending different probe requests, traversing the maximum number of network devices experienced by the probe data packet to the target URL;
based on the maximum number, sending the same probe request as the hijacked probe request, and determining the position of the hijacked equipment by modifying TTL.
5. The apparatus for locating HTTP hijacking of claim 4, wherein said comparing the response data with the original data comprises:
comparing the data packet sizes of the response data and the original data;
comparing the response data with the heads of the original data;
and comparing the content of the response data with the content of the original data.
6. The apparatus for locating HTTP hijacking of claim 4, further comprising: and after the position of the hijacking equipment is determined and the hijacking equipment is repaired, the request sending module sends a detection request to the same target URL.
7. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed, implements the steps of the method according to any of claims 1-3.
8. A computer device comprising a processor, a memory and a computer program stored on the memory, characterized in that the processor implements the steps of the method according to any of claims 1-3 when the computer program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910683809.1A CN112311724B (en) | 2019-07-26 | 2019-07-26 | Method, device, medium and equipment for positioning HTTP hijacking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910683809.1A CN112311724B (en) | 2019-07-26 | 2019-07-26 | Method, device, medium and equipment for positioning HTTP hijacking |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112311724A CN112311724A (en) | 2021-02-02 |
| CN112311724B true CN112311724B (en) | 2023-06-20 |
Family
ID=74328868
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910683809.1A Active CN112311724B (en) | 2019-07-26 | 2019-07-26 | Method, device, medium and equipment for positioning HTTP hijacking |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112311724B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210234832A1 (en) * | 2014-05-12 | 2021-07-29 | Tocmail Inc | Computer Security System and Method Based on User-Intended Final Destination |
| CN113923040B (en) * | 2021-10-21 | 2024-03-01 | 中国电信股份有限公司 | Flow hijacking point detection method and device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107317818A (en) * | 2017-07-11 | 2017-11-03 | 浙江远望信息股份有限公司 | It is a kind of that detection method is once joined based on the DNS networks for kidnapping technology |
| CN108282451A (en) * | 2017-01-20 | 2018-07-13 | 广州市动景计算机科技有限公司 | Hijacking data judgment method, device and user terminal |
| CN109246139A (en) * | 2018-10-25 | 2019-01-18 | 北京城市网邻信息技术有限公司 | A kind of monitoring method, device, electronic equipment and storage medium that website is kidnapped |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102594934B (en) * | 2011-12-30 | 2015-03-25 | 奇智软件(北京)有限公司 | Method and device for identifying hijacked website |
| US9444675B2 (en) * | 2013-06-07 | 2016-09-13 | Cisco Technology, Inc. | Determining the operations performed along a service path/service chain |
| CN103647783A (en) * | 2013-12-23 | 2014-03-19 | 上海交通大学无锡研究院 | Active detection based network intermediary attack positioning method |
| CN104486140B (en) * | 2014-11-28 | 2017-12-19 | 华北电力大学 | It is a kind of to detect device and its detection method that webpage is held as a hostage |
| CN104954386B (en) * | 2015-06-30 | 2018-10-02 | 百度在线网络技术(北京)有限公司 | A kind of network anti-hijacking method and device |
| CN106603464A (en) * | 2015-10-14 | 2017-04-26 | 北京国双科技有限公司 | Network detection method, system and device |
| CN109474587A (en) * | 2018-11-01 | 2019-03-15 | 北京亚鸿世纪科技发展有限公司 | The method that HTTP based on letter peace system kidnaps monitoring analysis and positioning |
-
2019
- 2019-07-26 CN CN201910683809.1A patent/CN112311724B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108282451A (en) * | 2017-01-20 | 2018-07-13 | 广州市动景计算机科技有限公司 | Hijacking data judgment method, device and user terminal |
| CN107317818A (en) * | 2017-07-11 | 2017-11-03 | 浙江远望信息股份有限公司 | It is a kind of that detection method is once joined based on the DNS networks for kidnapping technology |
| CN109246139A (en) * | 2018-10-25 | 2019-01-18 | 北京城市网邻信息技术有限公司 | A kind of monitoring method, device, electronic equipment and storage medium that website is kidnapped |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112311724A (en) | 2021-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11095710B2 (en) | Detecting virtual private network usage | |
| US11063960B2 (en) | Automatic generation of attribute values for rules of a web application layer attack detector | |
| US9112828B2 (en) | Method for defending against session hijacking attacks and firewall | |
| CN109150874B (en) | Access authentication method and device and authentication equipment | |
| JP2016146192A5 (en) | ||
| KR20090090685A (en) | Method and system for determining vulnerability of web application | |
| CN108076003B (en) | Session hijacking detection method and device | |
| CN112311724B (en) | Method, device, medium and equipment for positioning HTTP hijacking | |
| CN106878265A (en) | A kind of data processing method and device | |
| KR20160106062A (en) | Method and apparatus of identifying proxy ip address | |
| CN105635073B (en) | Access control method and device and network access equipment | |
| CN103401836A (en) | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not | |
| CN108809890A (en) | Leak detection method, test server and client | |
| CN110879891A (en) | Vulnerability detection method and device based on web fingerprint information | |
| TW201626759A (en) | Method for detecting a number of the devices of a plurality of client terminals selected by a WEB server with additional non-specified domain name from the internet request traffics sharing the public IP address and system for detecting selectively | |
| CN110765333A (en) | Method and device for collecting website information, storage medium and electronic device | |
| CN107592299B (en) | Proxy internet access identification method, computer device and computer readable storage medium | |
| KR101518470B1 (en) | Method for detecting a number of the devices of a plurality of client terminals selected by a web server from the internet request traffics sharing the public IP address and System for detecting selectively the same | |
| CN108259416B (en) | Method for detecting malicious webpage and related equipment | |
| CN115941280B (en) | Penetration method, device, equipment and medium based on web fingerprint information | |
| EP3593493A1 (en) | Prediction of a performance indicator | |
| CN115883574A (en) | Access equipment identification method and device in industrial control network | |
| KR101518469B1 (en) | Method for detecting a number of the selected devices of a plurality of client terminals from the internet request traffics sharing the public IP address and System for detecting selectively the same | |
| CN111737629B (en) | Data detection method and device | |
| CN113676540B (en) | Connection establishment method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |