© 2008 Websense, Inc. All Rights Reserved.
Blog
10.02.2007 - 11:02 AM
Archive
+ September 2007
+ August 2007
+ July 2007
+ June 2007
+ May 2007
When Websense Security Labs analyzes websites, we find it's very popular to use redirection in the source code. Redirection specifies one site in a link, but actually points to another site, which misdirects the visitor and also may allow some sites to escape from webpage scanners
Bookmark This Post:
Post a Comment:
Previous Posts
October 2007| 10/31/2007 | Halloween storm » |
| 10/31/2007 | Hi I am an infected...Hi I am an infected MAC » |
| 10/29/2007 | Beware of Phresh Credit Union Vish » |
| 10/25/2007 | Southern California Wildfire Scams » |
| 10/16/2007 | Sending Out An SOS (Spam Over Skype) » |
| 10/15/2007 | MOTW: PE Lurker Analysis: File Infection through a Kernel Driver » |
| 10/02/2007 | Website Redirection Analysis » |
+ September 2007
+ August 2007
+ July 2007
+ June 2007
+ May 2007
In HTML source code, you can insert "<META HTTP-EQUIV="REFRESH" content="0" url=http://www.example.com">", and it redirects to www.example.com when opening the webpage. Content="0" means the delay is 0 seconds.
Some languages like JavaScript, PHP, and ASP have their own way to redirect, so let's see some simple methods in PHP and JavaScript.
PHP
1. Header("Location: http://www.example.com");
2. echo "<script>window.location=\"http://www.example.com\"; </script>";
JavaScript
1.Location.replace("http://www.example.com")
2.Window.location=http://www.example.com
3.Location.href=http://www.example.com
Below is a simple usage, and certainly not the only way; you can build lots of different methods.
<html><head>
<script language="javascript">
function jump(){ window.location = "http://www.example.com" }
</script></head>
<body onLoad="setTimeout('jump()', 4000)">
<h2 >Wait for redirect</h2>
</body></html>
After 4 seconds (4000 miliseconds), the visitor is redirected to www.example.com.
Here is a real phish example, where wget was used to get the source file:
When you see the source code, you can see it uses a simple redirection, "location=http://www.example.com", to redirect to a real phish site.
In addition to these examples on PHP and JavaScript, you can find more information about redirection on the Internet.
Now let's look at some interesting redirection.
1.http://rds.yahoo.com/S=44831148:D1/CS=44831148/SS=44831166/SIG=11v8331g7/*http://www.example.com
When you first see this URL, you may think it connects to yahoo.com, but actually it connects the visitor to http://www.example.com. Hmm... Let's use www.sina.com.cn as an example, and capture packets with Ethereal to try to understand what happened.
As we can see, there is an "HTTP/1.1 302 Found (text/html)" entry marked in red. In RFC-2616, http/1.1 302 means "The requested resource resides temporarily under a different URI.", so let's look at the details and find the different URI.
From looking at this detail, we can see where the link is redirecting visitors.
2. www.aol.com/redir.adp?_url=http://www.example.com or http://www.aol.com/%72%65%64%69%72%2E%61%64%70?%5F%75%72%6C=http://www.example.com.
This URL points to www.example.com:
3. http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?RedirectEnter&loc=http://us.ebayobjects.com/2c;47586106;12593038;l?http://www.example.com.
This in turn points to http://www.example.com. Some differences in this sample include two 302 redirections, first using 302 redirect to http://us.ebayobjects.com/2c;47586106;12593038;l?http://www.example.com, and then http://us.ebayobjects.com/2c;47586106;12593038;l?http://www.example.com also uses 302 redirection to send visitors to http://www.example.com in the end.
The Websense blog http://www.websense.com/securitylabs/blog/blog.php?BlogID=133 already has an example that uses 2 and 3 to redirect to a phish site. At present, it's very common to see the use of redirection in phishing technology, so focusing some attention on redirection is necessary.