URL spoofing by razvan peteanu (razvan.peteanu@home.com) for securityportal.com Translation: Fatfox@yesky.com) Translation: Fatfox Source: Green Corps http://www.vertarmy.org/bbs/ URL Structure Let's take a closer look at the URLs and the security meaning associated therez. A "interesting" URL utilization method has been found for a spammer, but now "KNOWledge Base) deceived and February published in Crypto-gram article, has made URLs can do more thing. Although most of the Internet users link WWW addresses or FTPs, Uniform Resource Locators (URL, Uniform Resource Locator) is more common. The criteria of URLS are specified in RFC 1738, where the most common form is defined as:: Part is the network protocol name, partially defined as: @: / where only part is required.
":": "And" @ "characters have special meaning, so the server can parse the complete string. If the username and password are included in the URL, the part is only starting from the" @ "character. Look at the example in KB spoofing : http://www.microsoft.com&itm=q209354@www.hwnd.net/pub/mskb/q209354.asp where the real host is "www.hwnd.net". "www.microsoft.com" in this URL But it is a fake username, the server will ignore it. Although the above example is syntax, it may cause problems related to security. In the Internet node terminal, not a network card, modems or computer, but people. They conscious Or unconsciously considering whether there is anything worth trustworthy on the screen. Trust is the most basic security evaluation. With a spoofing URL like the above example, we use our trust in the URLS format in common sense. This kind of deception also Using us to focus the main attention to the main content rather than the URL address (although sometimes the URL can help us to determine the credibility) This fact. SSL protection site, give a part to the credibility of the judgment work to the browser, The browser will compare the domain with SSL authentication information; on the other hand, if the host host is fiction, then only rely on encryption technology, it does not provide too much useful evaluation. Hide above the URL analysis is simply hidden. Real destination. We can use a better way to hide. Since some reasons (possibly due to internal processing), some operating systems do not follow the format of the IP address, like: Aaa.bbb.ccc.ddd, but the corresponding decimal number. The above address can be rewritten into a decimal value: AAA * 256 ^ 3 BBB * 256 ^ 2 CCCC * 256 DDD. In this way, 3633633987 is 216.148. 218.195 (belonging to www.redhat.com Red Hat Company). You can enter 363363987 in the browser, you will find that you have come to the Redhat company's website. The above operation can use IE5.x or LYNX under Linux, but There is no test of other operating systems, which may differ. Some software will prompt your input prompt "illegal URLS", but you only use very little software (including common tools, such as ping) to test, you This operating system can be judged to support this URLS. If the operating system supports this use, you can create greater confusion by constructing the URL of the following: http://www.toronto.com: Ontario @ 3633633987 /, this URL still refers to Because many websites exist in the URL in the URL, they have replaced the use of cookies, so the Internet user does not pay attention to the digital values in the URL, so that the URL above is not doubt. The password portion can be omitted. This http: //www.toronto.com@3633633987/ is more confused. Now we can use some HTTP knowledge: Anchor (anchor) tag allows the text to be displayed to refer to a connection not text itself, so we You can write the connection into http://www.toronto.com, then set the connected text into anchor, then connect this anchor to http://www.toronto.com@3633633987/, is it very dangerous, if you Click this connection, still bring you to Redhat. Another use of trust is the secure address of the trusted site. Many well-known websites record the URLs of the boot visitors through the following format: "http : //www.thisisarespectables.com/outsidelinks/http://outside ", after the server is captured, redirect the user to the target website. This allows anyone to use this indirect addressing service. By using the URL confusion, provide more legality to fraudulent URLs. You can limit the input value of the HTTP submission area to avoid illegal inputs, but there are very few websites. If you feel above Not enough, you can also use Unicode encoding, write the real destination URL to write through the Unicode code, and then resolve it into a true purpose. These for "
