Uncover the working principles and Solutions of Web spoofing by hackers

Preface

This article describes a security attack on the Internet, which may infringe on the privacy and data integrity of WWW users. This attack can be implemented on the existing system, endangering the most common Web browser users, including Netscape Navigator and Microsoft Internet Explorer users.

Attackers can create image copies throughout the WWW World. The image Web entry enters the attacker's Web server and is filtered out by the attacker's machine, allowing the attacker to monitor any activity by the attacker, including accounts and passwords. Attackers can also send erroneous or misleading data to Real Web servers in the name of attackers, and send data to attackers in the name of any Web server. In short, attackers observe and control everything they do on the Web.

Spoofing Attack

In a spoofing attack, an attacker creates a context that is easy to misunderstand to lure attackers into and make decisions without security concerns. A spoofing attack is like a virtual game: an attacker creates a wrong but convincing world around the victim. If the virtual world is true, what attackers do is understandable. Unfortunately, in the wrong world, it seems that reasonable activities may lead to disastrous consequences in the real world.

Spoofing attacks are also common in real electronic transactions. For example, we have heard of such a thing: some criminals in the west set up a false ATM in public, the machine can accept the ATM card, and will ask the user's PIN password. Once the machine obtains the attacker's PIN password, it will either "Eat card", or "fault", and return the ATM card. In either case, the criminal will obtain sufficient information to replicate a completely identical ATM card. You can imagine the following things. In these attacks, people are often fooled by what they see: the location of the ATM, their shape and decoration, and the content of the electronic display.

People often use computer systems to make security-demanding decisions based on what they see. For example, when you access an online bank, you may extract or deposit a certain amount of deposits from the account of the bank based on the Web page of the bank you see. Because you believe that the Web page you visit is the Web page of the bank you need. Whether it is the page appearance, URL address, or other related content, you are very familiar with it, there is no reason not to trust it. However, you are probably being fooled.

Web Spoofing

TCP and DNS Spoofing

Apart from the spoofing means we will discuss, there are some other means that we will not discuss here. Examples of such attacks include TCP spoofing (using forged IP addresses in a TCP packet) and DNS spoofing (where attackers forge information about machine names and networks ). If you are interested, you can read the relevant materials.

Web Spoofing

Web spoofing is a kind of electronic information spoofing in which attackers create a convincing but completely wrong copy of the entire Web world. The wrong Web looks very lifelike and has the same webpage and link. However, attackers control the wrong Web site, so that all the network information between the attacker's browser and the Web is completely intercepted by the attacker. its working principle is like a filter.

Consequence

Attackers can observe or modify any information from the attacker to the Web server. Likewise, attackers can control the returned data from the Web server to the attacker, in this way, attackers may launch many attacks, including monitoring and destruction.

Attackers can monitor the network information of attackers and record the webpage and content they visit. After an attacker fills out a form and sends it, the data will be transmitted to the Web server, and the Web server will return the necessary information, but unfortunately, attackers can completely intercept and use it. As we all know, most online companies use forms to complete their businesses, which means attackers can obtain users' accounts and passwords. Next we will see that even if the attacker has a "Secure" connection (usually implemented through Secure Sockets Layer, the user's browser will display a lock or key to indicate a secure connection), and cannot escape the fate of being monitored.

After obtaining the necessary data, attackers can modify the data in any direction between the attacker and the Web server to perform some destructive activities. Attackers can modify the validation data. For example, if an attacker subscribes to a product online, the attacker can modify the product code, quantity, or mail order address. Attackers can also modify the data returned by the Web server, such as inserting information that is easy to misunderstand or attack, and damaging the relationship between users and online companies.

 

· Comprehensive WEB
Spoof the entire Web world

You may think that it is impossible for an attacker to spoof the entire Web world, but on the contrary, the attacker does not have to store the content of the whole Web world. Instead, he only needs to create a link to the whole Web world. When he needs to provide a wrong Web page about a Web site, he only needs to create a copy of the site on his server, thus waiting for the victim to go to the Internet.

How Web spoofing works

The key to successful spoofing is to set up an attacker's Web Server between the attacker and other Web servers. This type of attack is known as "Intermediate attack" in security issues ". In order to establish such an intermediate Web server, Hackers often do the following.

Rewrite URL

First, attackers rewrite all URL addresses on the Web page so that they point to the attacker's Web server rather than the real Web server. Assuming the attacker's Web server is www.org, the attacker added a http://www.www.org before all the links to rewrite the URL. For example, a http://home.xxx1.com changes to a http://www.www.org/http://home.xxx1.com. when the user clicks the rewritten http://home.xxx1.com (maybe it still shows http: // home. xxx1), will enter the http://www.www.org, then the http://www.www.org sends a request to ttp: // home.xxx1.com and gets the real document, then rewrite all links in the document, finally, return to the user's browser through a http://www.www.org. The workflow is as follows:

1. the user clicks the modified http://www.www.org/http://home.xxx1.com;

2. http://www.www.org request documents to http://home.xxx1.com;
3. The http://home.xxx1.com returns documents to the http://www.www.org;
4. http://www.www.org override all URLs in the document;

5. The http://www.www.org returns the modified document to the user.

Obviously, all the URLs in the modified documents point to www.org. When you click any link, the user will directly go to www.org instead of the real URL. If users access other web pages in turn, they will never get rid of the possibility of being attacked.

About forms

If the attacker fills out a form on the wrong Web, the result seems to be normal, because as long as the standard Web protocol is followed, form spoofing will naturally not be noticed: the confirmation information of the form is encoded in the URL, and the content is returned in HTML format. Since all the previous URLs have been rewritten, form spoofing is natural.

After an attacker submits a form, the submitted data enters the attacker's server. The attacker's server can observe or even modify the submitted data. Likewise, after obtaining the Real Server Response Information, attackers can do whatever they want before returning it to the victim.

About "Secure Connection"

We all know that in order to improve the security of Web applications, someone has proposed a concept called secure connection. It establishes an SSL-based secure connection between your browser and the Web server. Unfortunately, it basically does not do anything in Web spoofing. Attackers can establish a seemingly normal "Secure Connection" with the error webpage provided by Web spoofing ": webpage documents can be transmitted normally and images (usually a closed key or lock) that act as secure connection signs still work normally. In other words, the browser provides users with a secure and reliable connection. However, as we mentioned earlier, the secure connection is built on www.org instead of the site the user wants.

Attack Fuse

In order to start the attack, the attacker must lure the attacker into the wrong Web created by the attacker in some way. Hackers often use the following methods.

1. Place the wrong Web link on a popular Web site;

2. If attackers use Web-based emails, they can direct them to the wrong Web;

3. Create an incorrect Web index and instruct the search engine.

Complete Web spoofing details

The attack described above is quite effective, but it is not perfect. Hackers often need to create a trusted environment, including various icons, texts, links, and so on, to provide various very credible hints to attackers. In short, it is to hide all tails. At this time, if the wrong Web is hostile, then innocent users will be in a very dangerous situation.

· WEB spoofing Solution
In addition, hackers will pay attention to the following aspects.

1. Status line

The connection status is a prompt message at the bottom of the browser, prompting all types of information about the current connection. Web spoofing involves two types of information. First, when the mouse is placed on a Web link, the connection status displays the URL address indicated by the link. In this way, attackers may notice the rewritten URL address. Second, when the Web connection is successful, the connection status displays the name of the Connected Server. In this way, attackers can notice that www.org is not the site they want.

Attackers can use java