WebApp Sec mailing list archives
Re: Referer/302 behavior [WEB SECURITY] Web Hacking... PayPal Phishing ... Google redirect
From: Peter Watkins <peterw () tux org>
Date: Tue, 31 Jan 2006 09:11:46 -0500
dpw wrote:
I am surely missing something here. This seems like a pretty involved phish, but the initial hook doesn't seem to be baited very well. Why would anyone think a link that goes to Google would be a legitimate way to go to PayPal? Why would this be different than leveraging any redirect system? Why is this noteworthy?
It would be (more) noteworthy if there were evidence to suggest that users are falling for it. Is there any?
Now, if PayPal had some sort of reusable 404 redirection mechanism, at least
You mean 301/302, right?
the initial link would appear to go to Paypal, but it sure seems to me that going to Google first is pointless. Maybe the phisher is tracking the effectiveness of the lure by watching the referrer?
Tracking how? If you have http://link.example.org/ offer a hyperlink (<A HREF="...">) to http://redir.example.org/?q=http://attack.example.org/ which issues a 302 redirect to http://attack.example.org/ then most browsers' request for http://attack.example.org/ will have a Referer request header of http://link.example.org/. Put several layers of 302 redirects between http://link.example.org/ and http://attack.example.org/ and the Referer for the http://attack.example.org/ request will still be http://link.example.org/ -- browsers will send the last URL that did *not* issue a 302 (or 301? I don't use 301 much) redirect. If http://redir.example.org/?q=http://attack.example.org/ redirects the browser to http://attack.example.org/ by means of a "client-pull" META http-equiv refresh tag, typically the request to http://attack.example.org/ will not include a Referer header at all. This client-pull trick (and Javascript facsimiles) are often used by apps like webmail systems that wish to "anonymize" the referring URL. -Peter
-----Original Message----- From: RSnake [mailto:rsnake () shocking com] Sent: Wednesday, January 11, 2006 9:58 AM To: Watchfire Research Cc: Ofer Shezaf; websecurity () webappsec org; zx () castlecops com; webappsec () securityfocus com Subject: RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability
Google has a number of redirection holes just like the one mentioned in that article, presumably to track user behavior for more targeted ads. In a cursory check I found four of them (these all simply redirect to CNN): http://froogle.google.com/froogle_url?q=http://www.cnn.com
On Wed, 11 Jan 2006, Watchfire Research wrote:
As already stated by Stelian Ene in a posting to bugtraq/webappsec (@securityfocus.com), the PayPal phishing scam presented below exploit a well-known redirection phishing trick via Google's redirection script. It is important to mention that unlike what stated in http://castlecops.com/article-6460-nested-0-0.html, the attack is not based on the Cross-Site Scripting vulnerability which was recently detected and published by Watchfire in Google's website (http://www.securiteam.com/securitynews/6Z00L0AEUE.html).
[lots snipped]
http://castlecops.com/a6460-PayPal_Phishing_Site_Exploits_Google_XSS_Vulnerability.html
------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability RSnake (Jan 11)
- RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability dpw (Jan 11)
- RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability Paul Laudanski (Jan 11)
- Re: Referer/302 behavior [WEB SECURITY] Web Hacking... PayPal Phishing ... Google redirect Peter Watkins (Jan 31)
- RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability dpw (Jan 11)