how is my ISP able to inject into this webpage?

Your screenshot shows an HTTP ("Not Secure") page, not HTTPS. Your ISP essentially pulled an "SSL Stripping" attack on you; they blocked you from getting the redirect, fetched the HTTPS version of the site themselves, slapped their own content on top of the retrieved HTML, and then returned the modified HTML to you in response to your original HTTP request. They also stored (either on their side or in a browser cookie on yours) the fact that you'd seen the banner, so future requests to that site got redirected to HTTPS without any content being injected.

Remember, your ISP controls everything going between your computer and the Internet. If the connection is already encrypted (HTTPS), there's less they can do (they can cut the connection, they can probably tell what site you're requesting, they can tell how long your request and response are, they can try to spoof the server and hope you click through the certificate error message), but on an unencrypted connection they can do whatever they want. Modify the response, suppress parts of the response, add their own content, redirect you, prevent a redirect, outright impersonate the server...

Also, DNS requests and responses are (usually) sent unsecured. The ISP can do whatever they like there, too. It doesn't matter what server you send your DNS request to; if it's on the Internet, your ISP can see and tamper with it.

Bear in mind, all of the above also applies to a local network attacker (somebody on the same LAN as you, possibly at a business, home, or public WiFi) if they can get a man-in-the-middle position (and it's usually easy).

Tags:

Isp