URL Spoofing attacks in browsers and search engines

22:42 01.05.2009

This is English version of my URL Spoofing attacks in browsers and search engines article.

I continue the topic, which I begun in previous two advisories about URL Spoofing vulnerability in GoogleBot, Yahoo! Slurp, Mozilla and Internet Explorer, which also can exists in bots of other search engines. And I tell you about the attack which can work in all browsers and all search engines (bots of all search engines can be vulnerable).

At 29.04.2009 I found during researches, that not only url-encoded chars can be used for attack, but standard ASCII chars (from among visible chars). There are possible requests with chars AZaz09, at that AZ automatically converted to az in Mozilla (but not in IE6). And with some special chars in Mozilla (!%^&()`~-_+=) and in IE6 (!^&()`~-_+=, at that ^ and ` IE converts in url-encoded) and corresponding special chars in other browsers (- and _ are supported by all browsers).

URL Spoofing:

http://site.com.aaaaaaaaaawww.tab.net.ua/sites/blog/site_name.mikolasz/id.195/

There must be not more than 63 chars in total between dots (it’s limit on name of subdomain). So between “http://site.com.” and “.tab.net.ua” there can be up to 63 (including) chars. At that there can be arbitrary amount of such subdomains. Among different chars most suitable for attack are chars “-” and especially “_”.

http://site.com.---------------------------------------------------------------.tab.net.ua/sites/blog/site_name.mikolasz/id.195/
http://site.com._______________________________________________________________.tab.net.ua/sites/blog/site_name.mikolasz/id.195/

These attacks work in all browsers and obviously will work in all search engines. As opposed to attacks with using of url-encoded chars, which work among browsers only in Mozilla, IE6, IE7 and Safari 3.2.2 (and potentially in IE8).

Mentioned examples of attacks work in the next browsers: Mozilla 1.7.x, Internet Explorer 6 (6.0.2900.2180), Firefox 3.0.9, Opera 9.52 and Google Chrome 1.0.154.48. And must work in Internet Explorer 7, Safari 3.2.2 and potentially in IE8 and other browsers.

Conducting of attack.

As I wrote earlier, possibility of this attack depends on settings of web server, which must support any domains. So this attack can be conducted not at any web site, but only at appropriately configured ones. Particularly I found next sites, which are vulnerable to this attack: www.tab.net.ua, www.engadget.com and www.poweroptimizer.com.

I pick out two algorithms of conducting of this attack.

1. Using of the site, which has appropriate configuration of web server, which is vulnerable to this attack. Via registration at this site, or via vulnerabilities at it. Let’s look on example of www.tab.net.ua (social network).

  • Register an account at www.tab.net.ua.
  • Place at your site at this service the malicious code (for conducting of fishing attack, or for spreading of malware).
  • Create special URL: http://bank.com._(x63).tab.net.ua/sites/blog/site_name.bad/id.1/.
  • Attract victim at this URL.
  • Including it’s possible to give this URL to search engines for indexation, so victims will fall into a trap through search engines.

2. Using of own site, which has appropriately configured web server.

  • Place at your site the malicious code (for conducting of fishing attack, or for spreading of malware).
  • Create special URL: http://bank.com._(x63).badsite.com.
  • Attract victim at this URL.
  • Including it’s possible to give this URL to search engines for indexation, so victims will fall into a trap through search engines.

In second case, if special antifishing services will put domain of this site (badsite.com) into their lists, than owners of the browsers with antifishing systems will be protected. But only in case, if such systems work on domain (badsite.com), not on domain with subdomains (bank.com._(x63).badsite.com). Otherwise, or filter will not work (depending on what was put into it), or bad guys will can easily bypass it by changing an URL for attack (bank.com._._(x63).badsite.com).

In first case it’ll be hard for antifishing systems to ban the site, because attacking sites will be hosted on legal and popular services.

In conclusion I said, that Internet users must be careful and attend to their security, to not become victim of URL Spoofing attack. As web sites owners must attend to security of their sites.

P.S.

Domain gluing can be used not only for URL Spoofing attack, but also for XSS attack (in some browsers), as I showed on example of www.engadget.com.


Leave a Reply

You must be logged in to post a comment.