Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: Referer/302 behavior [WEB SECURITY] Web Hacking... PayPal Phishing ... Google redirect
From: Peter Watkins <peterw () tux org>
Date: Tue, 31 Jan 2006 09:11:46 -0500

dpw wrote:
I am surely missing something here. This seems like a pretty involved phish,
but the initial hook doesn't seem to be baited very well. 

Why would anyone think a link that goes to Google would be a legitimate way
to go to PayPal? Why would this be different than leveraging any redirect
system? Why is this noteworthy?

It would be (more) noteworthy if there were evidence to suggest that
users are falling for it. Is there any?

Now, if PayPal had some sort of reusable 404 redirection mechanism, at least

You mean 301/302, right?

the initial link would appear to go to Paypal, but it sure seems to me that
going to Google first is pointless. Maybe the phisher is tracking the
effectiveness of the lure by watching the referrer?

Tracking how? If you have
   http://link.example.org/
offer a hyperlink (<A HREF="...">) to
   http://redir.example.org/?q=http://attack.example.org/
which issues a 302 redirect to
   http://attack.example.org/
then most browsers' request for http://attack.example.org/ will have a
Referer request header of http://link.example.org/. Put several layers
of 302 redirects between http://link.example.org/ and
http://attack.example.org/ and the Referer for the
http://attack.example.org/ request will still be
http://link.example.org/ -- browsers will send the last URL that did
*not* issue a 302 (or 301? I don't use 301 much) redirect.

If http://redir.example.org/?q=http://attack.example.org/ redirects the
browser to http://attack.example.org/ by means of a "client-pull" META
http-equiv refresh tag, typically the request to
http://attack.example.org/ will not include a Referer header at all.
This client-pull trick (and Javascript facsimiles) are often used by
apps like webmail systems that wish to "anonymize" the referring URL.

-Peter

-----Original Message-----
From: RSnake [mailto:rsnake () shocking com] 
Sent: Wednesday, January 11, 2006 9:58 AM
To: Watchfire Research
Cc: Ofer Shezaf; websecurity () webappsec org; zx () castlecops com;
webappsec () securityfocus com
Subject: RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site
Exploits Google XSS Vulnerability

      Google has a number of redirection holes just like the one
mentioned in that article, presumably to track user behavior for more
targeted ads.  In a cursory check I found four of them (these all simply
redirect to CNN):

http://froogle.google.com/froogle_url?q=http://www.cnn.com

On Wed, 11 Jan 2006, Watchfire Research wrote:

As already stated by Stelian Ene in a posting to bugtraq/webappsec
(@securityfocus.com), the PayPal phishing scam presented below exploit a
well-known redirection phishing trick via Google's redirection script.

It is important to mention that unlike what stated in
http://castlecops.com/article-6460-nested-0-0.html, the attack is not
based on the Cross-Site Scripting vulnerability which was recently
detected and published by Watchfire in Google's website
(http://www.securiteam.com/securitynews/6Z00L0AEUE.html).

[lots snipped]

http://castlecops.com/a6460-PayPal_Phishing_Site_Exploits_Google_XSS_Vulnerability.html



-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault