Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21766
HistoryMay 03, 2009 - 12:00 a.m.

URL Spoofing vulnerabilities in browsers and search engines

2009-05-0300:00:00
vulners.com
9
JSON

Hello 3APA3A!

I continue the topic, which I begun in previous two advisories about
URL Spoofing vulnerability (http://websecurity.com.ua/3079/) in
GoogleBot, Yahoo! Slurp, Mozilla and Internet Explorer
(http://websecurity.com.ua/3096/), which also can exists in bots of
other search engines. And I tell you about the attack which can work in
all browsers and all search engines (bots of all search engines can be
vulnerable).

At 29.04.2009 I found during researches, that not only url-encoded
chars can be used for attack, but standard ASCII chars (from among
visible chars). There are possible requests with chars AZaz09, at that
AZ automatically converted to az in Mozilla (but not in IE6). And with
some special chars in Mozilla (!%^&()`~-+=) and in IE6 (!^&()`~-+=,
at that ^ and ` IE converts in url-encoded) and corresponding special
chars in other browsers (- and _ are supported by all browsers).

URL Spoofing:

http://site.com.aaaaaaaaaawww.tab.net.ua/sites/blog/site_name.mikolasz/id.195/

There must be not more than 63 chars in total between dots (it's limit
on name of subdomain). So between "http://site.com." and ".tab.net.ua"
there can be up to 63 (including) chars. At that there can be arbitrary
amount of such subdomains. Among different chars most suitable for
attack are chars "-" and especially "_".

http://site.com.---------------------------------------------------------------.tab.net.ua/sites/blog/site_name.mikolasz/id.195/

http://site.com._______________________________________________________________.tab.net.ua/sites/blog/site_name.mikolasz/id.195/

These attacks work in all browsers and obviously will work in all
search engines. As opposed to attacks with using of url-encoded chars,
which work among browsers only in Mozilla, IE6, IE7 and Safari 3.2.2
(and potentially in IE8).

Mentioned examples of attacks work in the next browsers: Mozilla
1.7.x, Internet Explorer 6 (6.0.2900.2180), Firefox 3.0.9, Opera 9.52
and Google Chrome 1.0.154.48. And must work in Internet Explorer 7,
Safari 3.2.2 and potentially in IE8 and other browsers.

Conducting of attack.

As I wrote earlier (http://websecurity.com.ua/3096/), possibility of
this attack depends on settings of web server, which must support any
domains. So this attack can be conducted not at any web site, but only
at appropriately configured ones. Particularly I found next sites,
which are vulnerable to this attack: www.tab.net.ua, www.engadget.com
and www.poweroptimizer.com.

I pick out two algorithms of conducting of this attack.

  1. Using of the site, which has appropriate configuration of web
    server, which is vulnerable to this attack. Via registration at this
    site, or via vulnerabilities at it. Let's look on example of
    www.tab.net.ua (social network).
  • Register an account at www.tab.net.ua.
  • Place at your site at this service the malicious code (for
    conducting of fishing attack, or for spreading of malware).
  • Create special URL:
    http://bank.com._(x63).tab.net.ua/sites/blog/site_name.bad/id.1/.
  • Attract victim at this URL.
  • Including it's possible to give this URL to search engines for
    indexation, so victims will fall into a trap through search engines.
  1. Using of own site, which has appropriately configured web server.
  • Place at your site the malicious code (for conducting of fishing
    attack, or for spreading of malware).
  • Create special URL: http://bank.com._(x63).badsite.com.
  • Attract victim at this URL.
  • Including it's possible to give this URL to search engines for
    indexation, so victims will fall into a trap through search engines.

In second case, if special antifishing services will put domain of
this site (badsite.com) into their lists, than owners of the browsers
with antifishing systems will be protected. But only in case, if such
systems work on domain (badsite.com), not on domain with subdomains
(bank.com.(x63).badsite.com). Otherwise, or filter will not work
(depending on what was put into it), or bad guys will can easily bypass
it by changing an URL for attack (bank.com.._(x63).badsite.com).

In first case it'll be hard for antifishing systems to ban the site,
because attacking sites will be hosted on legal and popular services.

In conclusion I said, that Internet users must be careful and attend
to their security, to not become victim of URL Spoofing attack. As web
sites owners must attend to security of their sites.

P.S.

Domain gluing can be used not only for URL Spoofing attack, but also
for XSS attack (in some browsers), as I showed on example of
www.engadget.com (http://websecurity.com.ua/3100/).

I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/3099/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON