The attack as described thus far is fairly effective, but it is not perfect. There is still some remaining context that can give the victim clues that the attack is going on. However, it is possible for the attacker to eliminate virtually all of the remaining clues of the attack’s existence.
Such evidence is not too hard to eliminate because browsers are very customizable. The ability of a Web page to control browser behavior is often desirable, but when the page is hostile it can be dangerous.
The Status Line
The status line is a single line of text at the bottom of the browser window that displays various messages, typically about the status of pending Web transfers.
The attack as described so far leaves two kinds of evidence on the status line. First, when the mouse is held over a Web link, the status line displays the URL the link points to. Thus, the victim might notice that a URL has been rewritten. Second, when a page is being fetched, the status line briefly displays the name of the server being contacted. Thus, the victim might notice that www.attacker.org is displayed when some other name was expected.
The attacker can cover up both of these cues by adding a JavaScript program to every rewritten page. Since JavaScript programs can write to the status line, and since it is possible to bind JavaScript actions to the relevant events, the attacker can arrange things so that the status line participates in the con game, always showing the victim what would have been on the status line in the real Web. This makes the spoofed context even more convincing.
The Location Line
The browser’s location line displays the URL of the page currently being shown. The victim can also type a URL into the location line, sending the browser to that URL. The attack as described so far causes a rewritten URL to appear in the location line, giving the victim a possible indication that an attack is in progress.
This clue can be hidden using JavaScript. A JavaScript program can hide the real location line and replace it by a fake location line that looks right and is in the expected place. The fake location line can show the URL the victim expects to see. The fake location line can also accept keyboard input, allowing the victim to type in URLs normally. The JavaScript program can rewrite typed-in URLs before they are accessed.
Viewing the Document Source
Popular browsers offer a menu item that allows the user to examine the HTML source for the currently displayed page. A user could possibly look for rewritten URLs in the HTML source, and could therefore spot the attack.
The attack can prevent this by using JavaScript to hide the browser’s menu bar, replacing it with a menu bar that looks just like the original. If the user chose “view document source” from the spoofed menu bar, the attacker would open a new window to display the original (non-rewritten) HTML source.
Viewing Document Information
A related clue is available if the victim chooses the browser’s “view document information” menu item. This will display information including the document’s URL. As above, this clue can be spoofed by replacing the browser’s menu bar. This leaves no remaining visible clues to give away the attack.
Tracing the Attacker
Some people have suggested that finding and punishing the attacker can deter this attack. It is true that the attacker’s server must reveal its location in order to carry out the attack, and that evidence of that location will almost certainly be available after an attack is detected.
Unfortunately, this will not help much in practice because attackers will break into the machine of some innocent person and launch the attack there. Stolen machines will be used in these attacks for the same reason most bank robbers make their getaways in stolen cars.
Demonstration
As a demonstration, we have implemented a working version of this attack, including all the tricks described above. The demonstration shows that the Web Spoofing attack would work in practice. Although we have showed the demonstration to many people, we have not made it available on the Web, since that would make it too easy for others to capture our demonstration and modify it to carry out real Web Spoofing attacks.
Jai Shree Raam
No comments:
Post a Comment