基于HTTP协议注入威胁验证及防护思路

Threat Validation and Defense Strategy of HTTP Data Injection

基于HTTP协议注入威胁技术是一种新型危害性很强的攻击技术。用户浏览网页时,会在毫不知情的情况下受到该类攻击。即便用户离开外部网络后,在自家可信网络中进行网页浏览时,同样还会受到此类技术的可持续性攻击。因此,在深入研究HTTP协议分析的基础上,利用NodeJS和PhantomJS平台的功能实现,验证了一种可选择性数据注入方法,实现了HTTP协议数据注入可持续性威胁目的,试验结果符合预期。最后,从网站内容信息安全、无线路由安全以及用户浏览器工具安全三个方面,提出了重要的防护思路。

Injection threat technology based on HTTP protocol is a new and very harmful attack technology. The user would be attacked in the case of no knowledge while browsing the web,Or be also exposed to the sustainability attack of such technology while leaving the external Network and doing web browsing in his own trusted network. For this reason, based on in-depth study of HTTP protocol analysis and by using a functional implementation of NodeJS and PhantomJS platform, a selective data injection method is validated. This method realizes the object of sustainable threat of HTTP protocol data injection,and the test results are in line with the expectation. Finally, from the three aspects of website content information security, wireless routing security, and user browser tool security, an important protection idea is concluded.