[WEB SECURITY] URL Hiding - new method of URL Spoofing attacks

MustLive mustlive at websecurity.com.ua
Sun May 31 08:19:16 EDT 2009


Hello participants of Mailing List.

As I wrote in my article URL Hiding - new method of URL Spoofing attacks
(http://websecurity.com.ua/3189/), there is one interesting attack on
search engines.

In continue of my researches of vulnerabilities
(http://websecurity.com.ua/3102/) in search engines
(http://www.webappsec.org/lists/websecurity/archive/2009-05/msg00011.html),
I tell you about new interesting method of URL Spoofing attacks, which I
called URL Hiding. It can be used for conducting of fishing attacks and for
spreading of malware (particularly it can be used with previously described
methods). This URL Hiding attack I found in Google, but other search engines
also can be vulnerable.

This month, 19.05.2009, during searching in Google, I found interesting
site, which not shows its URL in serp. I saw such sites earlier during using
of Google (from 2000), but it's first site which address I wrote down. This
site is http://_-lilit-_.photosight.ru.

http://www.google.com.ua/search?q=site%3A_-lilit-_.photosight.ru

In case when URL Hiding is using together with URL Spoofing methods, which I
wrote about earlier (when long URL is made, e.g. with using of “_” char),
then it improves the effectiveness of fishing and others attacks. Because
long and suspicious URL will not be shown in serp of search engine, and when
user will go by the link, then he can to not notice the URL (via using of
URL Spoofing methods).

As I thought first, when using of underscore (like in case of
http://_-lilit-_.photosight.ru), Google will not show address in serp at
all. But there is no such effect in case of http://ane4ka-_.shalala.ru.
Potentially it works only in case, if first char of domain is underscore.

I made a lot of researches when I was looking for sites with underscores,
which hasn't URL in serp, but didn't find any such sites (but found one
interesting bug in Google). So method of attack on Google for hiding of
address of sites in serp can use this (with underscore at the beginning of
domain), or other approach. But in any case URL Hiding attack is dangerous,
because it allows to use search engines (Google in particular) for
conducting of fishing and other attacks.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list