蜜罐检测插件

├── README.md ├── background.js ├── img ├── logo.png ├── 可疑溯源请求.png └── 黑名单请求.png ├── manifest.json ├── popup.html └── popup.js /README.md: -------------------------------------------------------------------------------- 1 | # 背景 2 | 蓝方的WEB蜜罐通常带有溯源功能，原理类似CSRF。打开WEB蜜罐后，自带的js会自动遍历能够识别你的身份信息的其他网站api，例如baidu、58、163等，如果你恰好在这些网站上有已登录的cookie，就会通过这个网站的api获得你的用户名，可能还会有邮箱、电话、姓名等 3 | 4 | # 插件原理 5 | 本插件所采用的原理非常简单粗暴，就是判断当前网站域和jsonp接口的域是否是同一个，是的话就预警并阻断。比如我访问一个[](http://1.2.3.4/)的网站，结果这个网站里的js去请求了一个baidu.com的api，那妥妥的有问题了。 6 | 7 | 但是粗暴判断也会带来误报，比如我正常访问baidu.com，但是其引用了个apibaidu.com的jsonp，就一样也会报警和拦截，这种情况下就暂时用白名单来解决了。 8 | 9 | 具有黑名单host（来自长亭蜜罐api溯源请求）匹配功能：如果匹配到基于蜜罐溯源黑名单的host，会做另外的弹框预警，如果有多个黑名单host弹框报警，说明这个蜜罐的可能性会比较大。 10 | 11 | 其余跨主域请求拦截，需要肉眼判断一下是否合法 12 | 13 | 拦截顺序顺序： 14 | 1. 白名单的主域不受影响 15 | 1. 主域下的子域不受影响 16 | 2. 基于黑名单的拦截，发出黑名单拦截报警 17 |

18 | 3. 其余跨主域请求，发出可疑溯源报警 19 |

20 | 21 | # chrome插件使用 22 | 1. 下载并解压源码 23 | 2. 打开chrome的插件管理 chrome://extensions/ 24 | 3. 打开开发者模式，并点击”加载已解压的扩展程序”，选择对应的目录导入即可 25 | -------------------------------------------------------------------------------- /background.js: -------------------------------------------------------------------------------- 1 | 'use strict' 2 | const manifest = chrome.runtime.getManifest(); 3 | const { 4 | version 5 | } = manifest; 6 | 7 | chrome.webRequest.onBeforeRequest.addListener( 8 | function (details) { 9 | //根据url返回域名和对应的path 10 | function GetHostAndPath(url) { 11 | var arrUrl = url.split("//"); // http://www.baidu.com/aaaa.php?aaa 12 | var start = arrUrl[1].indexOf("/"); 13 | var host = arrUrl[1].substring(0, start); 14 | var path = arrUrl[1].substring(start); //stop省略，截取从start开始到结尾的所有字符 15 | 16 | var result = new Array(host, path); 17 | return result 18 | } 19 | 20 | //获取主域名 21 | function GetMainDomain(host) { 22 | var arrHost = host.split("."); // a.b.c.baidu.com 23 | var mainDomain = arrHost[arrHost.length - 2] + '.' + arrHost[arrHost.length - 1]; 24 | return mainDomain; 25 | } 26 | 27 | //判断host是否在黑名单内 28 | function inBlackList(host) { 29 | // 长亭D-sensor、墨安幻阵提供的溯源api，共83个host 30 | const BlackList = ["account.itpub.net", "accounts.ctrip.com", "ajax.58pic.com", "api.csdn.net", "api.ip.sb", "api.m.jd.com", "api.passport.pptv.com", "api.weibo.com", "assets.growingio.com", "baike.baidu.com", "bbs.zhibo8.cc", "bit.ly", "blog.csdn.net", "blog.itpub.net", "c.cnzz.com", "c.v.qq.com", "chinaunix.net", "clients4.google.com", "cmstool.youku.com", "comment.api.163.com", "databack.dangdang.com", "datax.baidu.com", "dimg01.c-ctrip.com", "down2.uc.cn", "flux.faloo.com", "g.alicdn.com", "github.comgithub.com", "hd.huya.com", "hm.baidu.com", "home.51cto.com", "home.ctfile.com", "home.zhibo8.cc", "hudong.vip.youku.com", "hzs14.cnzz.com", "i.jrj.com.cn", "i.qr.weibo.cn", "iask.sina.com.cn", "itunes.apple.com", "js.cndns.com", "ka.sina.com.cn", "log.mmstat.com", "login.sina.com.cn", "m.ctrip.com", "m.game.weibo.cn", "map.baidu.com", "mapp.jrj.com.cn", "morn.cndns.com", "mozilla.github.io", "msg.qy.net", "mths.be", "musicapi.taihe.com", "my.zol.com.cn", "p.qiao.baidu.com", "passport.ctrip.com", "passport.game.renren.com", "passport.iqiyi.com", "pcw-api.iqiyi.com", "playbill.api.mgtv.com", "renren.com", "s.faloo.com", "s14.cnzz.com", "sb.scorecardresearch.com", "search.video.iqiyi.com", "skylink.io", "static.iqiyi.com", "stc.iqiyipic.com", "tie.163.com", "u.faloo.com", "ucenter.51cto.com", "v.huya.com", "v2.sohu.com", "validity.thatscaptaintoyou.com", "vote2.pptv.com", "wap.sogou.com", "webapi.ctfile.com", "weibo.com", "www.58pic.com", "www.cndns.com", "www.gnu.org", "www.iqiyi.com", "www.iteye.com", "www.zbj.com", "wz.cnblogs.com"]; 31 | for (const BlackSite of BlackList) { 32 | if (host == BlackSite) { 33 | return true 34 | } 35 | } 36 | return false 37 | } 38 | 39 | //判断host是否在白名单内 40 | function inWhiteList(host) { 41 | const WhiteList = ['baidu.com', 'qq.com', 'csdn.net', 'weibo.com', 'cnblogs.com', 'aliyun.com', 'ctrip.com', 'weibo.cn', 'iqiyi.com', '163.com', '126.com', '51cto.com', 'taobao.com', 'sogou.com', 'iteye.com', '58.com'] //白名单 42 | for (const WhiteSite of WhiteList) { 43 | if (host == WhiteSite) { 44 | return true; 45 | } 46 | } 47 | return false 48 | } 49 | 50 | //url:当前的url；initiator：浏览器状态栏里的domain 51 | let { 52 | url, 53 | initiator 54 | } = details; 55 | 56 | //如果发起者为空，直接赋值url 57 | if (typeof (initiator) == "undefined") { 58 | initiator = url; 59 | } 60 | 61 | const protocal = url.split("://")[0]; 62 | const mainDomain = GetMainDomain(initiator); //浏览器状态栏的主域名，baidu.com 63 | const targetHost = GetHostAndPath(url)[0]; //跨域或本域访问的目标主机 64 | const targetPath = GetHostAndPath(url)[1]; //跨域或本域访问的目标路径 65 | const targetDomain = GetMainDomain(targetHost) //目标主域名 xxx.com 66 | 67 | let redirectUrl; 68 | let cancel; 69 | 70 | //目标域名在主域名下，或者在白名单，不拦截 71 | if (targetDomain.includes(mainDomain) || inWhiteList(mainDomain)) { 72 | console.log(targetDomain); 73 | return; 74 | } 75 | 76 | //如果不相等，可能是跨域访问，需要继续判断 77 | const blockQueryStringList = ['callback', 'jsonp', 'javascript']; 78 | for (const q of blockQueryStringList) { 79 | if (protocal == 'http' || protocal == 'https') { 80 | if (q && targetPath.includes(q)) { 81 | redirectUrl = 'data:text/javascript;charset=UTF-8;base64,' + btoa(`;`); 82 | if (inBlackList(targetHost)) { 83 | // 黑名单拦截 84 | new Notification('拦截黑名单溯源请求：' + targetHost); 85 | } else { 86 | // 拦截其他跨域请求 87 | new Notification('拦截可疑溯源请求：' + targetHost); 88 | } 89 | } 90 | } 91 | } 92 | 93 | if (cancel) return { 94 | cancel 95 | }; 96 | else if (redirectUrl) return { 97 | redirectUrl 98 | } 99 | else return {}; 100 | }, { 101 | urls: [""] 102 | }, 103 | ["blocking"] 104 | ); -------------------------------------------------------------------------------- /img/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ar3h/anti-honeypot/1540978f888859be07ffb472f0a25506dd99fecf/img/logo.png -------------------------------------------------------------------------------- /img/可疑溯源请求.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ar3h/anti-honeypot/1540978f888859be07ffb472f0a25506dd99fecf/img/可疑溯源请求.png -------------------------------------------------------------------------------- /img/黑名单请求.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ar3h/anti-honeypot/1540978f888859be07ffb472f0a25506dd99fecf/img/黑名单请求.png -------------------------------------------------------------------------------- /manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Anti-HoneyPot", 3 | "version": "1.0.2", 4 | "manifest_version": 2, 5 | "description": "", 6 | "icons": { 7 | "128": "/img/logo.png" 8 | }, 9 | "browser_action": { 10 | "default_popup": "popup.html", 11 | "default_title": "Anti-HoneyPot", 12 | "default_icon": "/img/logo.png" 13 | }, 14 | "background": { 15 | "persistent": true, 16 | "scripts": [ 17 | "background.js" 18 | ] 19 | }, 20 | "permissions": [ 21 | "notifications", 22 | "activeTab", 23 | "tabs", 24 | "storage", 25 | "https://*/*", 26 | "http://*/*", 27 | "webRequest", 28 | "webRequestBlocking" 29 | ], 30 | "web_accessible_resources": ["*"], 31 | "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'" 32 | } -------------------------------------------------------------------------------- /popup.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 蜜罐检测插件 8 | 9 | 10 | 11 |
Anti_Honeypot
12 |
V1.02
13 | https://github.com/Ar3h/anti-honeypot 14 | 15 | 16 | -------------------------------------------------------------------------------- /popup.js: -------------------------------------------------------------------------------- 1 | //取消保存在session里 --------------------------------------------------------------------------------