绕过XSS过滤对自动化暗链检测的启发

前言

本文专注于研究跳转型暗链的绕过技术，从XSS过滤绕过的角度为暗链检测提供新的思路。暗链是指黑客在合法网站上植入的隐蔽链接，通常用于非法SEO、流量劫持等目的。

跳转型暗链的常见模式

模式一：基于Referer的差异化跳转

黑客利用JavaScript的document.referrer字段检测用户来源，实现针对不同来源的差异化跳转：

<script>
if(document.referrer.indexOf("baidu.com")>0){
    location.href="http://evil.com";
}
</script>

特点：

• 仅当用户来自特定搜索引擎(如百度)时才跳转
• 直接访问网站不会触发跳转
• 难以通过常规访问方式检测

模式二：诱骗性标题修改

黑客修改网页title以吸引特定搜索关键词的用户：

<title>赌博|色情|非法内容关键词</title>

特点：

• 针对特定搜索关键词优化
• 提高非法网站在搜索引擎中的可见度

高级绕过技术

1. Unicode编码绕过

十进制Unicode编码title

<title>&#x8FD9;&#x662F;&#x4E00;&#x884C;&#x6F14;&#x793A;&#x4EE3;&#x7801;</title>

特点：

• 渲染后显示正常文字
• 原始代码中使用Unicode编码规避关键词检测
• 可用于隐藏非法关键词

JavaScript代码Unicode编码

<script type="text/javascript">
window["open"]("\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d")
</script>

特点：

• 使用十六进制编码URL和函数名
• 绕过基于字符串匹配的检测
• 可动态解码执行

2. JavaScript混淆技术

eval混淆

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1["0"]("\9\e\e\d\4\3\3\g\g\g\2\6\5\a\8\f\2\7\c\b")',62,17,'open|window|x2e|x2f|x3a|x61|x62|x63|x64|x68|x69|x6d|x6f|x70|x74|x75|x77'.split('|'),0,{}))

特点：

• 使用复杂的编码和动态生成技术
• 静态分析难以理解实际功能
• 需要运行时环境才能还原真实意图

3. JSFuck极端混淆

使用仅6个字符([]()!+)编写完整JavaScript代码：

[][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]][([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+([][[]]+[])[+!+[]]+([!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[[+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(+(+!+[]+[+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+([!+[]+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(+[[+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+!+[]]+([]+[])[([+[]]+(!![]+[][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(!![]+[])[+!+[]]]((+[])[([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]+[])[+!+[]]+(+[[+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+!+[]]]+([][[]]+[])[+!+[]]+([]+[])[([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+[][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]][([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[[+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(+(+!+[]+[+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+([!+[]+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(+[[+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+!+[]]+([]+[])[([+[]]+(!![]+[][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(!![]+[])[+!+[]]]((+[])[([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][([+[]]+([+!+[]]+([[+!+[]+[+[]]]+([!+[]+!+[]]]+[])[+!+[]]+(!![]+[])[+!+[]]]+[])[+!+[]]+(+[[+[]]+([+!+[]]+([[+!+�

特点：

• 仅使用6个字符编写完整JavaScript
• 静态分析几乎不可能理解
• 需要实际执行才能确定行为
• 极端混淆难以检测

检测建议

基于XSS过滤绕过的经验，提出以下暗链检测建议：

1. 编码检测：

   • 对包括但不限于10进制Unicode编码的各种编码进行解码检测
   • 识别HTML实体编码、十六进制编码等常见编码形式

2. 深度JavaScript分析：

   • 对调用eval函数的代码进行语义反混淆
   • 建立JavaScript执行环境动态分析混淆代码
   • 关注window.open、location.href等跳转相关API调用

3. JSFuck防护：

   • 识别仅使用[]()!+字符的极端混淆代码
   • 考虑限制这类代码的执行或进行特殊标记

4. 行为分析：

   • 监控页面跳转行为，特别是基于referer的条件跳转
   • 分析title变更模式，识别异常关键词

5. 多维度检测：

   • 结合静态分析和动态执行
   • 建立正常行为基线，检测偏离行为

总结

暗链植入技术正变得越来越复杂，借鉴XSS绕过技术可以实现更隐蔽的攻击。有效的检测需要结合多种技术手段，从编码解码、语义分析到行为监控等多个层面建立防御体系。随着黑客技术的演进，检测技术也需要不断更新以应对新的挑战。