URL spoofing-secure encryption

URL Structure

Let's take a closer look at URLs and its related security meanings. A "funny" method of URL exploitation has been discovered by spam advertisers for a long time, but now the "KB" (Knowledge Base) Spoofing and the article published in Crypto-Gram in February, this allows the URL to do more.

Although most Internet users associate WWW addresses or FTP with URLs, the use of Uniform Resource Locators (URL, unified Resource Locator) is more common. The URLs standard is defined in RFC1738, where the most common form is defined:

:
Some are network protocol names, and some are defined:

//:@:/

Only some of them are required. ":" And "@" have special meanings, so that the server can parse the complete string. if the user name and password are included in the URL, the part only starts after the "@" character. let's look at the example of KB spoofing:

Http://www.microsoft.com & item = q209354@www.hwnd.net/pub/mskb/Q209354.asp

The real host is "www.hwnd.net". "www.microsoft.com". In this URL, it is just a false user name and will be ignored by the server.

Although the above example is syntactic, it may cause problems related to security. the terminal on an Internet node is not a nic, Modems, or computer, but a person. either consciously or unconsciously, they should consider whether something on the screen is trustworthy.

Trust is the most basic security evaluation. fraudulent URLs like the above example use our trust in the URLs format in common sense. this spoofing also utilizes the fact that we focus our attention on the main content rather than the URL address (although sometimes the URL can help us determine the reliability. for an SSL-protected website, the browser compares the domains with SSL authentication information by handing over part of the determination of the reliability to the browser. On the other hand, if the target host is fictitious, therefore, relying solely on encryption technology cannot provide too many useful comments.

Hide

The above URL analysis simply hides its real destination. we can use a better method to hide it. for some reason (which may be caused by internal processing), some operating systems do not operate on IP addresses in common formats, such as aaa. bbb. ccc. ddd, but the corresponding decimal number.

The preceding address can be rewritten to a decimal value: aaa * 256 ^ 3 + bbb * 256 ^ 2 + cccc * 256 + ddd. in this way, 3633633987 is 216.148.218.195 (belonging to www.redhat.com RedHat company ). you can enter 3633633987 in the browser, and you will find that you have come to the REDHAT website. the above operations can use IE5.X or Lynx in Linux, but other operating systems are not tested, which may be different. some software prompts "invalid URLs" for your input, but you only need to use a few software (including commonly used tools such as ping) for testing, you can determine whether the operating system supports this URLs usage.

If the operating system supports this, you can create a larger confusion by constructing the following URL: http://www.toronto.com: ontario @ 3633633987/, which still points to REDHAT. because many websites store HTTP SessionID in URLs instead of using cookies, Internet users do not pay attention to the numeric values in the URLs. In this way, the constructed URLs do not cause any doubt. the password part can be omitted, so that the http://www.toronto.com @ 3633633987/more confusing.

URL Structure

Let's take a closer look at URLs and its related security meanings. A "funny" method of URL exploitation has been discovered by spam advertisers for a long time, but now the "KB" (Knowledge Base) Spoofing and the article published in Crypto-Gram in February, this allows the URL to do more.

Although most Internet users associate WWW addresses or FTP with URLs, the use of Uniform Resource Locators (URL, unified Resource Locator) is more common. The URLs standard is defined in RFC1738, where the most common form is defined:

:
Some are network protocol names, and some are defined:

//:@:/

Only some of them are required. ":" And "@" have special meanings, so that the server can parse the complete string. if the user name and password are included in the URL, the part only starts after the "@" character. let's look at the example of KB spoofing:

Asp & http://www.microsoft.com & item = q209354@www.hwnd.net/pub/mskb/Q209354.asp

The real host is "www.hwnd.net". "www.microsoft.com". In this URL, it is just a false user name and will be ignored by the server.

Although the above example is syntactic, it may cause problems related to security. the terminal on an Internet node is not a nic, Modems, or computer, but a person. either consciously or unconsciously, they should consider whether something on the screen is trustworthy.

Trust is the most basic security evaluation. fraudulent URLs like the above example use our trust in the URLs format in common sense. this spoofing also utilizes the fact that we focus our attention on the main content rather than the URL address (although sometimes the URL can help us determine the reliability. for an SSL-protected website, the browser compares the domains with SSL authentication information by handing over part of the determination of the reliability to the browser. On the other hand, if the target host is fictitious, therefore, relying solely on encryption technology cannot provide too many useful comments.

Hide

The above URL analysis simply hides its real destination. we can use a better method to hide it. for some reason (which may be caused by internal processing), some operating systems do not operate on IP addresses in common formats, such as aaa. bbb. ccc. ddd, but the corresponding decimal number.

The preceding address can be rewritten to a decimal value: aaa * 256 ^ 3 + bbb * 256 ^ 2 + cccc * 256 + ddd. in this way, 3633633987 is 216.148.218.195 (belonging to www.redhat.com RedHat company ). you can enter 3633633987 in the browser, and you will find that you have come to the REDHAT website. the above operations can use IE5.X or Lynx in Linux, but other operating systems are not tested, which may be different. some software prompts "invalid URLs" for your input, but you only need to use a few software (including commonly used tools such as ping) for testing, you can determine whether the operating system supports this URLs usage.

If the operating system supports this, you can create a larger confusion by constructing the following URL: http://www.toronto.com: ontario @ 3633633987/, which still points to REDHAT. because many websites store HTTP SessionID in URLs instead of using cookies, Internet users do not pay attention to the numeric values in the URLs. In this way, the constructed URLs do not cause any doubt. the password part can be omitted, so that the http://www.toronto.com @ 3633633987/more confusing. now we can use some HTTP knowledge: anchor (anchor) Marking allows the displayed text to point to a connection that is not the text itself, so that we can write the connection into a http://www.toronto.com, then set the connection text as an anchor, and then connect this anchor to the http://www.toronto.com @ 3633633987/, is not very dangerous, if you click this connection, will still take you to REDHAT company.

Another use of trust is provided by indirect addressing of trusted sites. many well-known websites use the following format of connection to record visitors to this site: "http://www.thisisarespectablesite.com/outsidelinks/http://externalsite", capture the request information on the server side, and then redirect the user to the target site.

This allows anyone to use this indirect addressing service by combining it with URL confusions to provide more legitimacy for fraudulent URLs. you can restrict the input value of the HTTP submission area to avoid illegal input, but few websites do this.

If you think the above is not enough, you can use Unicode encoding to write the real target URL through the Unicode code, and then parse it to a real purpose.

The above are not new things for "Knowledgeable" spam ad makers, but it is very useful for users who are generally not suspicious of attacks.

One-click Attack

Next, we will further discuss URL security issues.

Many "standard" attacks can start with buffer overflow, but such overflow cannot be found now. What should we do?

In the registry, there are the following key values: HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ PROTOCOLS \ Handler, there is also the subkey "URL Protocol" under HKEY_CLASSES_ROOT \ Shell (you can use search to search for these keys ). you can find ftp: //, http: //, https: //, mailt //, news: //, pnm: //, and other protocols. many protocols have not been seen before, such as msee ://. through a quick test, we found that msee: // is used by "" and may be used to check internal articles. does "" cause buffer overflow? If yes, can it be actually used? Further research is required.

We can find many URL structures (such as copernic: // generated by the copernic search tool) added during software installation ). in addition, you can use the scripting language to modify the victim registry to add our URL structure. The scripting language can be compiled using vbs and then sent by email, then ......... you can use this URL structure to cause buffer overflow. although this seems to have little connection with the URL, there are still some connections, so let's talk about it together.