URL spoofing

URL spoofing (to German as: faking an URL ) is the World Wide Web applied ( spoofing -) method to the visitor to a site fraudulently pretend a false identity or to disguise the actual address of the page.

terminology

At least the following variants are distinguished in URL spoofing:

Link spoofing
Frame spoofing

While the fraudulent URL is directly visible in the browser with link spoofing (if it is not running in kiosk mode ), the manipulation with frame spoofing is not immediately visible to the user.

Sometimes website spoofing is spoken of in a more general way, where you can no longer tell from which website the content is coming from, even in the URL (of the browser).

All variants are content spoofing.

functionality

A distinction must be made between attacks on the user (browser) and attacks on the server (web application) in terms of functionality.

Content spoofing

With phishing , for example, a user can be fooled into thinking he is on the page http://register.example.com - in truth, the address http: //register.example.com@192.168.1.1 is called instead , which one Authentication of the user “register.example.com” at the host 192.168.1.1 corresponds to.

URL spoofing is made possible by security holes in web browsers . In December 2003, for example, the spoofing of such a URL in Internet Explorer and published patches worked. But Mozilla also had the same problem at the end of 2003, which was only fixed with version 1.6. After the problem initially appeared to have been resolved in early 2004, exploits reappeared in April 2004 that worked in Internet Explorer , Opera 7.2, KDE's Konqueror 3.1.3 and Apple's Safari . Only Mozilla's browser was not affected this time.

URL spoofing can also be caused by web application security vulnerabilities . The web application sends data provided by the user to the browser. This is particularly dangerous if it can misuse a trustworthy site for phishing. What is particularly tricky here is that this also works with HTTPS-secured websites without violating the SSL certificate.

Server side

The following can also be described as URL spoofing: Some sites charge for their services. With some websites, you can make this payment ineffective by spoofing the so-called HTTP referrer , which contains the address of the last website you visited, and thus access possibly adult content. For example, you set the HTTP referrer address on a URL within the protected member area. The server of the corresponding website assumes that the respective user is already logged in, unless the operator has installed an additional check.

Types of attack

Attacks on the browser (content spoofing) take place either through the transmission of appropriately manipulated links to the user by email or through the entry of a correspondingly defective link e.g. B. in forums, blogs, etc. Cross-site scripting vulnerabilities are mostly exploited in web applications. HTTP response splitting vulnerabilities in web servers or web applications can also be used.

Web links

A-I3 - Working Group on Identity Protection on the Internet

Individual evidence

↑ Jürgen Schmidt: Fake URLs in Internet Explorer . In: Heise Security, December 9, 2003.
^ Daniel Bachfeld: Wrong URLs also under Mozilla . In: Heise Online, December 15, 2003.
↑ Daniel Bachfeld: Another trick for URL spoofing in Internet Explorer . In: Heise Online, April 1, 2004.

[1] Jürgen Schmidt: Fake URLs in Internet Explorer . In: Heise Security, December 9, 2003.

[2] Daniel Bachfeld: Wrong URLs also under Mozilla . In: Heise Online, December 15, 2003.

[3] Daniel Bachfeld: Another trick for URL spoofing in Internet Explorer . In: Heise Online, April 1, 2004.