Working principles of Web deception can successfully be a key to establish an attacker's web server between the attacker and other web servers, which is called "from the middle attack" in security issues. In order to establish such intermediate web servers, hackers often do the following.
Rewriting URL
First, the attacker overwrites all URL addresses in the web page so they point to the attacker's web server instead of the real web server. Assuming that the web server at the attacker is www.org, the attacker will override the URL by adding http://www.www.org before all links. For example, http://home.xxx1.com will change to http://www.www.xxx1.com. When the user clicks the http://home.xxx1.com ( Maybe it still appears http: //home.xxx1), will enter http://www.www.org, then http://www.xxx1.com by http://www.xxx1.com Send a request and get a real document, then rewrite all the links in the document, and finally returns the user's browser after http://www.www.org. The workflow is as follows:
1. The user clicks after rewritten http://www.www.org/http://home.xxx1.com;
2. http://www.www.org requests documentation to http://home.xxx1.com;
3. http://home.xxx1.com returns a document to http://www.www.org;
4. http://www.www.org Rewrites all the URLs in the document;
5. http://www.www.org Returns the rewritten document to the user.
Obviously, all the URLs in the modified document point to www.org, when the user clicks on any link, it will enter www.org directly, and will not directly enter the real URL. If the user will come into other pages sequentially, they will never get rid of the attack.
About form
If an attacker fills in a form on the web, the result seems to be normal, because as long as the standard web protocol is followed, the form spoof naturally does not be aware: the determination information of the form is encoded to the URL, The content will be returned in HTML. Since the previous URL has been rewritten, the formal deception will be a natural thing.
After submitting the form being submitted by the attacker, the submitted data enters an attacker's server. An attacker's server can observe, even modify the submitted data. Similarly, after getting the real server returns information, the attacker can be desirable to pay for the attacker.
About "safe connection"
We all know that in order to improve the security of web applications, some people have proposed a concept called security connection. It is an SSL-based secure connection between the user browser and the web server. However, it is unfortunate that it is basically not necessary in Web spoof. An attacker can establish a seemingly normal "secure connection" in the wrong page provided in Web spoof: The document of the web page can be transmitted normally and as a graphic of the secure connection flag (usually a key or lock) Still working properly. In other words, it is a safe and reliable connection that the browser is provided to the user is a safe and reliable connection. But as mentioned earlier, the security connection at this time is based on the site of www.org rather than the user.
Airfire
In order to start attacks, the attacker must attract attackers to enter the wrong web created by the attacker in some way. Hackers often use the following methods.
1 Put the wrong web link to a popular Web site;
2 If an attacker uses a web-based message, you can point to the wrongweb; 3 Create an error of the web index, indicating to the search engine.
