[4846] in WWW Security List Archive
Client-based web spoofing
daemon@ATHENA.MIT.EDU (Henri Torgemane)
Tue Mar 18 15:11:48 1997
Date: Tue, 18 Mar 1997 13:23:50 -0500
From: Henri Torgemane <henri.torgemane@etu.utc.fr>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I just checked the paper on web spoofing from princeton.
They assume all the connections have to go through an
hostile machine, which doesn't really seems necessary.
We can imagine the following scenario:
When an hostile server is contacted, a piece of program
is sent back with the page. From then, the program
'takes control' of the browser, checking every connection.
In most cases, the connection stay unchanged. But for some
pages, a substitution is done. The source page for the
substitution could be stored inside the program, or be
download from the hostile server.
Such scenario would avoid intensive call to the hostile
server, making the spoofing harder to detect.
Now we could imagine that the program intercepts
any form submission and send a copy of the content of the
form to the hostile server before actually sending it
to the real server. This avoids the hassle to create a page
'looking like' the original, because it _is_ the original.
This kind of attack would be 'cheaper' than the regular one,
because it could be launched from a single html page.
A trivial cgi would be required to log the informations sent
back by the program.
Any thought about this ( assuming this is technically possible ) ?
Henri
