Avoid website hijacking by malicious domain names

The server of R0uter's blog rejected the embedding of the site
The server of R0uter's blog rejected the embedding of the site

I accidentally found a batch of websites today,Such as http://b6x.net/ Now when you click on this website, it will display "www.logcg.com refused to connect.”,When I clicked on it for the first time, I was stunned...he actually copied my entire website? !

This is a series of three-digit domain name websites,Are similar operations。

http://What b6x.net/ shows is actually the content of R0uter's blog
http://What b6x.net/ shows is actually the content of R0uter's blog

and many more,I found something wrong,First of all, there is a white box on the outside of this website that my blog does not have... that is,This may be an anti-generation (reverse proxy)。

If you still don’t know what anti-generation is,look at thisOn the forward proxy reverse proxy transparent proxy

So I checked this domain name,Located in Alibaba Cloud,Contact information is protected by the domain name of the service provider who originally purchased the domain name,The resolved ip address is the cdn address,Of no use。I try to block with a domain name,As a result, people still showed it well...

During this process,I found out a little more:If it is a reverse proxy,The domain name links in the website should be relayed by the agent,And in this website,The link to my blog has not been modified in any way,Is my original domain name。

View the source code of the page to discover,In fact, this website has only one line of code:

That is,When you open this website,It loads R0uter's blog in its own page......

of course,This seems harmless,But there are many potential security issues,For example, he can do transparent clickjacking and so on... Besides, I don’t know the webmaster of this domain name。To avoid this,Need to modify nginx configuration,Add an http header add_header X-Frame-Options "SAMEORIGIN";

of course,You have other options,such as DENY Is to reject all behaviors that are embedded in other web pages;SAMEORIGIN Is a convenient option,What if you want to embed your own? As long as it is the same domain source,You can allow,No one else;ALLOW-FROM URI This option is the basic whitelist function,Who wrote,Who can embed without being rejected。

Here we use SAMEORIGIN,The add_header X-Frame-Options "SAMEORIGIN"; Write it in your server configuration,Restart Service。

For example, there are 3 items in my place after modification:

Then refresh that http://b6x.net/ ,It's already blank。

The server of R0uter's blog rejected the embedding of the site
The server of R0uter's blog rejected the embedding of the site

References

Original article written by Gerber drop-off:R0uter's Blog » Avoid website hijacking by malicious domain names

Reproduced Please keep the source and description link:https://www.logcg.com/archives/3507.html

By R0uter's Blog

The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。

13 comments

        1. Or not,It shouldn't be a matter of parentheses,I took a look,Line 694 in your rss,^M like this,You can bind successfully。There is an extra ^M symbol in it。I can’t see it with a browser,Text editor,Don't know what edit you use,It can be seen with emacs。 It should be fine to delete this。

  1. Took a look at mine,Oh don't be afraid
    add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”;
    add_header X-Frame-Options “SAMEORIGIN” always;
    add_header X-Xss-Protection “1; mode=block” always;
    add_header X-Content-Type-Options “nosniff” always;

    add_header Content-Security-Policy “default-src https: ‘unsafe-inline’ ‘unsafe-eval’ data:;”;
    add_header Referrer-Policy “no-referrer-when-downgrade”;

Leave a comment

Your email address will not be published. Required fields are marked *