安全网关前端JS防御机制深度分析<\/h1>

〇、前言<\/h2>
xxx安全网关是一款用于前端防御自动化工具的安全系统，其核心工作机制如下：<\/p>
核心代码由服务器下发给客户端执行<\/li>
通过cookie将执行结果带回服务器<\/li>
根据JS获取的前端数据分析判断用户是否异常<\/li>
完成安全检测流程<\/li> <\/ul>
一、代码入口分析<\/h2>

1.1 核心参数<\/h3>
JS计算结果通过以下三个cookie参数名传递给服务器：<\/p>
8PHkpr8y<\/code> - 工具特征<\/li>
JF7cGtR5<\/code> - 浏览器指纹<\/li>
SflKxwRJ<\/code> - 令牌(token)<\/li>
<\/ul>
1.2 代码结构<\/h3>
核心逻辑位于ng_dynamic_defend<\/code>文件的尾部几行，代码以明文形式存储，未经过混淆或加密。<\/p>
二、配置读取机制<\/h2>
2.1 配置获取流程<\/h3>
window.config<\/span> =<\/span> 'eyJmaW5nZXIiOnsibmFtZSI6IkpGN2NHdFI1In0sImJvdCI6eyJlbmFibGVkIjp0cnVlLCJuYW1lIjoiOFBIa3ByOHkifSwic3VibWl0Ijp7ImVuYWJsZWQiOnRydWUsIm5hbWUiOiJVVmpES082biIsInVybCI6IiJ9LCJ0b2tlbiI6eyJlbmFibGVkIjp0cnVlLCJuYW1lIjoiU2ZsS3h3UkoiLCJ1cmwiOiJqc190ZXN0LmNvbTsiLCJpc19jaGVja191cmkiOnRydWUsImlzX2NoZWNrX2dldCI6dHJ1ZX0sImNvbnRlbnQiOnsiZW5hYmxlZCI6ZmFsc2UsIm5hbWUiOiJTZmxLeHdSSiIsImNvbmZ1c2VfdHlwZSI6IjAifSwic2NyaXB0Ijp7ImlzX2FudGlfZGVidWciOmZhbHNlfX0='<\/span>;
<\/span><\/span>
<\/span><\/span>!<\/span>function<\/span>(global<\/span>) {
<\/span><\/span>    function<\/span> _base64_parse<\/span>(e<\/span>) {
<\/span><\/span>        return<\/span> CryptoJS<\/span>.enc<\/span>.Base64<\/span>.parse<\/span>(e<\/span>).toString<\/span>(CryptoJS<\/span>.enc<\/span>.Utf8<\/span>)
<\/span><\/span>    }
<\/span><\/span>    function<\/span> get_global<\/span>() {
<\/span><\/span>        var<\/span> e<\/span> =<\/span> _base64_parse<\/span>(global<\/span>.config<\/span>),
<\/span><\/span>            t<\/span> =<\/span> JSON<\/span>.parse<\/span>(e<\/span>);
<\/span><\/span>        _global_config<\/span> =<\/span> global<\/span>.nY1vq7Gi<\/span> =<\/span> t<\/span>
<\/span><\/span>    }
<\/span><\/span>}(window);
<\/span><\/span><\/code><\/pre>2.2 配置内容解析<\/h3>
解码后的配置JSON：<\/p>
{
<\/span><\/span>    "finger"<\/span>: {
<\/span><\/span>        "name"<\/span>: "JF7cGtR5"<\/span>
<\/span><\/span>    },
<\/span><\/span>    "bot"<\/span>: {
<\/span><\/span>        "enabled"<\/span>: true<\/span>,
<\/span><\/span>        "name"<\/span>: "8PHkpr8y"<\/span>
<\/span><\/span>    },
<\/span><\/span>    "submit"<\/span>: {
<\/span><\/span>        "enabled"<\/span>: true<\/span>,
<\/span><\/span>        "name"<\/span>: "UVjDKO6n"<\/span>,
<\/span><\/span>        "url"<\/span>: ""<\/span>
<\/span><\/span>    },
<\/span><\/span>    "token"<\/span>: {
<\/span><\/span>        "enabled"<\/span>: true<\/span>,
<\/span><\/span>        "name"<\/span>: "SflKxwRJ"<\/span>,
<\/span><\/span>        "url"<\/span>: "js_test.com;"<\/span>,
<\/span><\/span>        "is_check_uri"<\/span>: true<\/span>,
<\/span><\/span>        "is_check_get"<\/span>: true<\/span>
<\/span><\/span>    },
<\/span><\/span>    "content"<\/span>: {
<\/span><\/span>        "enabled"<\/span>: false<\/span>,
<\/span><\/span>        "name"<\/span>: "SflKxwRJ"<\/span>,
<\/span><\/span>        "confuse_type"<\/span>: "0"<\/span>
<\/span><\/span>    },
<\/span><\/span>    "script"<\/span>: {
<\/span><\/span>        "is_anti_debug"<\/span>: false<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>三、数据采集机制<\/h2>
3.1 工具特征检测(get_tool_feature)<\/h3>
检测自动化工具特征：<\/p>

get_webdriver()<\/code> - 检测window.navigator.webdriver<\/code><\/li>
get_phantomjs()<\/code> - 通过window.navigator.userAgent<\/code>检测PhantomJS<\/li>
get_bot()<\/code> - 检测以下关键字：
__webdriver_evaluate, __selenium_evaluate, __webdriver_script_function, 
__webdriver_script_func, __webdriver_script_fn, __fxdriver_evaluate, 
__driver_unwrapped, __webdriver_unwrapped, __driver_evaluate, 
__selenium_unwrapped, __fxdriver_unwrapped, _phantom, __nightmare, 
_selenium, callPhantom, callSelenium, _Selenium_IDE_Recorder
<\/code><\/pre>
<\/li>
get_navigator_for_tool()<\/code> - 检测window.navigator.languages<\/code><\/li>
get_canvas_for_tool()<\/code> - 检测window.document.createElement('canvas').getContext<\/code><\/li>
get_storage_for_tool()<\/code> - 检测window.localStorage<\/code>和window.sessionStorage<\/code><\/li>
get_consol()<\/code> - 检测window.console.log(1)<\/code><\/li>
get_awvs()<\/code> - 检测AWVS扫描器特征：
SimpleDOMXSSClass, MarvinHooks, MarvinPageExplorer, HashDOMXSSClass
<\/code><\/pre>
<\/li>
get_appscan()<\/code> - 检测AppScan扫描器特征：
appScanSendReplacement, appScanOnReadyStateChangeReplacement, 
appScanLoadHandler, appScanSetPageLoaded
<\/code><\/pre>
<\/li>
<\/ul>
3.2 浏览器特征检测(get_browser_feature)<\/h3>
检测浏览器环境特征：<\/p>

get_indexedDB()<\/code> - window.indexedDB<\/code><\/li>
get_openDatabase()<\/code> - window.openDatabase<\/code><\/li>
get_localStorage()<\/code> - window.localStorage<\/code><\/li>
get_sessionStorage()<\/code> - window.sessionStorage<\/code><\/li>
get_audio()<\/code> - window.AudioContext.destination<\/code><\/li>
get_file()<\/code> - 检测File<\/code>对象类型<\/li>
isCanvasSupported()<\/code> - 检测Canvas支持<\/li>
isWebGlSupported()<\/code> - 检测WebGL支持<\/li>
get_plugins()<\/code> - window.navigator.plugins<\/code><\/li>
get_languages()<\/code> - window.navigator.languages<\/code><\/li>
get_platform()<\/code> - window.navigator.platform<\/code><\/li>
get_cpuClass()<\/code> - _navigator.cpuClass<\/code><\/li>
get_hardwareConcurrency()<\/code> - _navigator.hardwareConcurrency<\/code><\/li>
get_namespaces()<\/code> - window.document.namespaces<\/code><\/li>
get_documentMode()<\/code> - window.document.documentMode<\/code><\/li>
get_ActivexObject()<\/code> - window.document.ActivexObject<\/code><\/li>
get_StyleMedia()<\/code> - window.StyleMedia<\/code><\/li>
get_opera()<\/code> - window.opera<\/code><\/li>
get_firefox()<\/code> - 检测Firefox<\/li>
get_chrome()<\/code> - 检测Chrome<\/li>
get_safari()<\/code> - 检测Safari<\/li>
<\/ul>
3.3 浏览器指纹采集(get_fingerprint)<\/h3>
采集浏览器指纹信息：<\/p>

get_indexedDB()<\/code><\/li>
get_openDatabase()<\/code><\/li>
get_localStorage()<\/code><\/li>
get_sessionStorage()<\/code><\/li>
get_audio()<\/code><\/li>
get_file()<\/code><\/li>
get_canvas()<\/code> - Canvas指纹<\/li>
get_webgl()<\/code> - WebGL指纹<\/li>
get_webgl_render()<\/code><\/li>
get_plugins()<\/code><\/li>
get_language()<\/code> - 浏览器语言<\/li>
get_languages()<\/code><\/li>
get_platform()<\/code><\/li>
get_cpuClass()<\/code><\/li>
get_hardwareConcurrency()<\/code><\/li>
get_timezone_offset()<\/code> - 时区偏移<\/li>
get_timezone()<\/code> - 时区信息<\/li>
get_screen_ratio()<\/code> - 屏幕比例<\/li>
get_screen_resolution()<\/code> - 屏幕分辨率<\/li>
get_touch_support()<\/code> - 触摸支持<\/li>
get_media_devices()<\/code> - 媒体设备<\/li>
get_battery()<\/code> - 电池信息<\/li>
get_adBlock()<\/code> - 广告拦截检测<\/li>
get_userAgent()<\/code> - 用户代理<\/li>
<\/ul>
3.4 数据处理与存储<\/h3>
采集的数据经过处理后存入cookie：<\/p>

set_bot_cookie()<\/code> - 将工具特征(tool_feature<\/code>)加密后存入cookie 8PHkpr8y<\/code><\/li>
set_fingerprint()<\/code> - 将浏览器指纹(fingerprint<\/code>)加密后存入cookie JF7cGtR5<\/code><\/li>
<\/ul>
四、事件监听机制<\/h2>
4.1 链接(a标签)监听<\/h3>

设置EventListenerEx()<\/code>监听<\/li>
页面加载完成时触发load_func()<\/code>，对当前cookie执行base64编码操作，并设置参数名为KBwtGA<\/code><\/li>
<\/ul>
function<\/span> confuse_cookie<\/span>() {
<\/span><\/span>    var<\/span> e<\/span>;
<\/span><\/span>    _document<\/span>.cookie<\/span> &&<\/span> 0<\/span> !=<\/span> _global_config<\/span>.content<\/span>.enabled<\/span> &&<\/span> 
<\/span><\/span>    '1'<\/span> ==<\/span> _global_config<\/span>.content<\/span>.confuse_type<\/span> &&<\/span> 
<\/span><\/span>    (e<\/span> =<\/span> _document<\/span>.cookie<\/span>, clearAllCookie<\/span>(), 
<\/span><\/span>    CookieUtil<\/span>.set<\/span>('KBwtGA'<\/span>, btoa<\/span>(e<\/span>)))
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
点击事件触发a_click_handler()<\/code>，对请求地址添加令牌(token)，参数名为SflKxwRJ<\/code><\/li>
replace_url()<\/code>调用get_token()<\/code>生成加密token<\/li>
<\/ul>
4.2 表单(form)监听<\/h3>

设置EventListenerEx()<\/code>监听<\/li>
表单事件触发form_hook()<\/code>

调用get_submit()<\/code>对表单数据加密，参数名为UVjDKO6n<\/code><\/li>
调用get_token()<\/code>生成加密token，参数名为SflKxwRJ<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
4.3 AJAX请求监听<\/h3>

AJAX事件触发ajax_hook()<\/code>

GET请求：调用get_body_for_get()<\/code>对args数据使用get_token()<\/code>加密<\/li>
POST请求：

调用get_body_for_post()<\/code>对请求体使用get_submit()<\/code>加密<\/li>
对URL使用replace_url()<\/code>调用get_token()<\/code>生成加密token<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ul>
五、加密机制分析<\/h2>
5.1 数据加密流程<\/h3>

采集window\/navigator的特征值<\/li>
按位计算形成整数<\/li>
使用RC4算法加密

指纹特征存入cookie JF7cGtR5<\/code><\/li>
工具特征存入cookie 8PHkpr8y<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
5.2 请求加密流程<\/h3>

监听a标签、form表单、ajax请求<\/li>
触发时：

对数据内容调用get_submit()<\/code>使用RC4算法加密<\/li>
对URL调用get_token()<\/code>使用RC4算法计算token令牌<\/li>
<\/ul>
<\/li>
<\/ol>
六、防御绕过思路<\/h2>
6.1 检测点规避<\/h3>


WebDriver检测<\/strong>：<\/p>

修改navigator.webdriver<\/code>属性<\/li>
避免使用明显的自动化工具特征<\/li>
<\/ul>
<\/li>

指纹一致性<\/strong>：<\/p>

保持指纹特征的一致性<\/li>
避免异常的设备参数<\/li>
<\/ul>
<\/li>

行为模拟<\/strong>：<\/p>

添加合理的操作间隔<\/li>
模拟人类操作模式<\/li>
<\/ul>
<\/li>
<\/ol>
6.2 加密处理<\/h3>


Cookie处理<\/strong>：<\/p>

正确处理8PHkpr8y<\/code>、JF7cGtR5<\/code>、SflKxwRJ<\/code>三个关键cookie<\/li>
确保加密参数符合预期<\/li>
<\/ul>
<\/li>

请求处理<\/strong>：<\/p>

对表单和AJAX请求进行适当的加密<\/li>
确保token参数正确附加<\/li>
<\/ul>
<\/li>
<\/ol>
七、总结<\/h2>
该安全网关的前端防御机制主要特点：<\/p>

通过多维度特征采集构建浏览器指纹<\/li>
使用RC4算法对关键数据进行加密<\/li>
通过事件监听确保交互行为的安全性<\/li>
关键检测点集中在自动化工具特征识别<\/li>
采用cookie作为数据传输载体<\/li>
<\/ol>
防御核心在于特征采集的全面性和加密机制的可靠性，对抗此类防御需要深入理解其检测逻辑和加密流程。<\/p>
安全网关前端JS防御机制深度分析<\/h1>

一、代码入口分析<\/h2>

1.2 代码结构<\/h3> 核心逻辑位于ng_dynamic_defend<\/code>文件的尾部几行，代码以明文形式存储，未经过混淆或加密。<\/p>

三、数据采集机制<\/h2>

四、事件监听机制<\/h2>

五、加密机制分析<\/h2>

六、防御绕过思路<\/h2>

1.2 代码结构<\/h3>
核心逻辑位于`ng_dynamic_defend<\/code>文件的尾部几行，代码以明文形式存储，未经过混淆或加密。<\/p>`
