检测Web蜜罐利用JSONP获取信息的技术分析与防御方法<\/h1>

0x00 引言<\/h2>
本文详细分析商业蜜罐如何利用JSONP接口窃取攻击者信息的技术原理，并提供相应的检测与防御方法。重点针对蜜罐通过JavaScript脚本调用JSONP接口获取攻击者信息的过程进行剖析。<\/p>

0x01 蜜罐技术概述<\/h2>

现代商业Web蜜罐通常采用以下关键技术：<\/p>

JSONP接口配置<\/strong><\/p>

预先配置JSONP接口信息<\/li>
生成对应的JavaScript文件(固定或动态URL)<\/li> <\/ul> <\/li>

蜜罐网站配置<\/strong><\/p>

仿站技术(扒取目标站点静态页面，功能不可用)<\/li>
二次修改后的源码(功能可用但数据全为假数据或精简版源码)<\/li> <\/ul> <\/li>

信息收集机制<\/strong><\/p>

将配置好的JSONP接口JS文件URL插入蜜罐静态文件中<\/li>
访问者打开蜜罐网站时自动加载并执行JS脚本<\/li>
调用JSONP接口将攻击者数据回传至蜜罐后端<\/li> <\/ul> <\/li> <\/ol>
0x02 检测与防御实现方案<\/h2>
检测流程<\/h3>

打开网页<\/li>
查看源代码<\/li>
查找所有引用的JS文件<\/li>
检查JS文件是否有蜜罐特征<\/li> <\/ol>
浏览器插件实现方案<\/h3>
通过开发浏览器插件实现自动化检测和拦截：<\/p>
核心功能<\/h4>

规则订阅系统<\/strong><\/p>

定义JSON格式的检测规则<\/li>
规则结构示例：<\/li> <\/ul>
{ <\/span><\/span> "test111"<\/span>: [ <\/span><\/span> { <\/span><\/span> "filename"<\/span>: "xss.min.js"<\/span>, <\/span><\/span> "content"<\/span>: "hello"<\/span> <\/span><\/span> } <\/span><\/span> ], <\/span><\/span> "test222"<\/span>: [ <\/span><\/span> { <\/span><\/span> "filename"<\/span>: "main.js"<\/span>, <\/span><\/span> "content"<\/span>: "word"<\/span> <\/span><\/span> } <\/span><\/span> ] <\/span><\/span>} <\/span><\/span><\/code><\/pre> filename<\/code>和content<\/code>可使用通配符*<\/code>表示任意匹配<\/li> <\/ul> <\/li> 缓存处理机制<\/strong><\/p> 设置短时间缓存(避免从缓存加载已拦截的JS文件)<\/li> 使用chrome.browsingData.removeCache<\/code>清除近期缓存<\/li> <\/ul> <\/li> 请求拦截系统<\/strong><\/p> 使用chrome.webRequest.onBeforeRequest<\/code>监听器<\/li> 对script<\/code>类型请求进行拦截检查<\/li> <\/ul> <\/li> <\/ol> 核心代码实现<\/h4> var<\/span> honeypotUrlCache<\/span> =<\/span> {}; <\/span><\/span>var<\/span> http<\/span> =<\/span> {}; <\/span><\/span>var<\/span> ruleStr<\/span> =<\/span> '{"test111":[{"filename":"xss.min.js","content":"hello"}],"test222":[{"filename":"main.js","content":"word"}]}'<\/span>; <\/span><\/span>var<\/span> rule<\/span> =<\/span> JSON<\/span>.parse<\/span>(ruleStr<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 规则匹配函数 <\/span><\/span><\/span><\/span>function<\/span> checkForRule<\/span>(url<\/span>, content<\/span>) { <\/span><\/span> for<\/span>(item<\/span> in<\/span> rule<\/span>) { <\/span><\/span> for<\/span>(r1<\/span> in<\/span> rule<\/span>[item<\/span>]) { <\/span><\/span> if<\/span> (rule<\/span>[item<\/span>][r1<\/span>]["filename"<\/span>] ==<\/span> '*'<\/span> &&<\/span> content<\/span>.indexOf<\/span>(rule<\/span>[item<\/span>][r1<\/span>]["content"<\/span>]) !=<\/span> -<\/span>1<\/span>) { <\/span><\/span> honeypotUrlCache<\/span>[url<\/span>] =<\/span> item<\/span>; <\/span><\/span> return<\/span>; <\/span><\/span> } else<\/span> if<\/span> (url<\/span>.indexOf<\/span>(rule<\/span>[item<\/span>][r1<\/span>]["filename"<\/span>]) !=<\/span> -<\/span>1<\/span>) { <\/span><\/span> if<\/span> (rule<\/span>[item<\/span>][r1<\/span>]["content"<\/span>] ==<\/span> '*'<\/span>) { <\/span><\/span> honeypotUrlCache<\/span>[url<\/span>] =<\/span> item<\/span>; <\/span><\/span> return<\/span>; <\/span><\/span> } else<\/span> if<\/span> (content<\/span>.indexOf<\/span>(rule<\/span>[item<\/span>][r1<\/span>]["content"<\/span>]) !=<\/span> -<\/span>1<\/span>) { <\/span><\/span> honeypotUrlCache<\/span>[url<\/span>] =<\/span> item<\/span>; <\/span><\/span> return<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 检查URL是否为蜜罐 <\/span><\/span><\/span><\/span>function<\/span> checkHoneypot<\/span>(url<\/span>) { <\/span><\/span> let<\/span> status<\/span> =<\/span> false<\/span>; <\/span><\/span> if<\/span> (honeypotUrlCache<\/span>.hasOwnProperty<\/span>(url<\/span>)) { <\/span><\/span> status<\/span> =<\/span> true<\/span>; <\/span><\/span> } else<\/span> { <\/span><\/span> http<\/span>.get<\/span>(url<\/span>, function<\/span>(err<\/span>, result<\/span>) { <\/span><\/span> checkForRule<\/span>(url<\/span>, result<\/span>); <\/span><\/span> if<\/span> (honeypotUrlCache<\/span>.hasOwnProperty<\/span>(url<\/span>)) { <\/span><\/span> status<\/span> =<\/span> true<\/span>; <\/span><\/span> } <\/span><\/span> }); <\/span><\/span> } <\/span><\/span> return<\/span> status<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 请求拦截器 <\/span><\/span><\/span><\/span>chrome<\/span>.webRequest<\/span>.onBeforeRequest<\/span>.addListener<\/span>( <\/span><\/span> details<\/span> => { <\/span><\/span> var<\/span> t<\/span> =<\/span> (new<\/span> Date()).getTime<\/span>() -<\/span> 1000<\/span>; <\/span><\/span> chrome<\/span>.browsingData<\/span>.removeCache<\/span>({"since"<\/span>:<\/span> t<\/span>}, function<\/span>(){}); <\/span><\/span> <\/span><\/span> if<\/span>(details<\/span>.type<\/span> ==<\/span> 'script'<\/span>) { <\/span><\/span> if<\/span> (checkHoneypot<\/span>(details<\/span>.url<\/span>)) { <\/span><\/span> alert<\/span>("蜜罐,快跑,当前蜜罐脚本已屏蔽!"<\/span>); <\/span><\/span> return<\/span> {cancel<\/span>:<\/span> true<\/span>}; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> }, <\/span><\/span> {urls<\/span>:<\/span> ["<all_urls>"<\/span>]}, <\/span><\/span> ["blocking"<\/span>] <\/span><\/span>); <\/span><\/span><\/code><\/pre>0x03 深入思考与扩展<\/h2> 检测方法优化方向<\/h3> 基于哈希值的检测<\/strong><\/p> 计算蜜罐特征文件的哈希值进行匹配<\/li> 提高检测准确率，减少误报<\/li> <\/ul> <\/li> 行为特征检测<\/strong><\/p> 检测本站向多个外部网站短时间内发起请求的行为<\/li> 不依赖JS文件内容特征，检测异常请求模式<\/li> <\/ul> <\/li> 内联脚本检测<\/strong><\/p> 针对直接在HTML中使用script标签写入JS代码的情况<\/li> 分析DOM内容中的可疑脚本<\/li> <\/ul> <\/li> 非JSONP蜜罐检测<\/strong><\/p> 扩展检测其他类型的蜜罐技术<\/li> 如服务蜜罐(mysql、redis、docker等)<\/li> <\/ul> <\/li> <\/ol> 攻防对抗思考<\/h3> 蜜罐的进化<\/strong><\/p> 商业蜜罐可能在被访问时就已触发报警<\/li> 检测需要更快速、更前置<\/li> <\/ul> <\/li> 研究途径<\/strong><\/p> 实战中踩蜜罐后的逆向分析<\/li> 服务甲方时的研究机会<\/li> 安全研究人员间的信息共享<\/li> <\/ul> <\/li> 防御体系建设<\/strong><\/p> 将蜜罐检测工具集成到攻击工具链中<\/li> 建立蜜罐特征库并持续更新<\/li> <\/ul> <\/li> <\/ol> 0x04 总结<\/h2> 本文详细分析了Web蜜罐利用JSONP获取信息的技术原理，并提供了基于浏览器插件的自动化检测方案。通过特征匹配和行为分析，可以有效识别和拦截大多数基于JSONP的信息窃取型蜜罐。然而，蜜罐技术也在不断进化，需要持续研究新的检测方法和防御策略。<\/p>

检测Web蜜罐利用JSONP获取信息的技术分析与防御方法<\/h1>

0x00 引言<\/h2> 本文详细分析商业蜜罐如何利用JSONP接口窃取攻击者信息的技术原理，并提供相应的检测与防御方法。重点针对蜜罐通过JavaScript脚本调用JSONP接口获取攻击者信息的过程进行剖析。<\/p>

0x02 检测与防御实现方案<\/h2>

浏览器插件实现方案<\/h3> 通过开发浏览器插件实现自动化检测和拦截：<\/p>

0x03 深入思考与扩展<\/h2>

0x00 引言<\/h2>
本文详细分析商业蜜罐如何利用JSONP接口窃取攻击者信息的技术原理，并提供相应的检测与防御方法。重点针对蜜罐通过JavaScript脚本调用JSONP接口获取攻击者信息的过程进行剖析。<\/p>

浏览器插件实现方案<\/h3>
通过开发浏览器插件实现自动化检测和拦截：<\/p>