A web site can travel the path that is misused to reaching a ingenuity by supplying an HTTP direct to honest the individual’s web browser to the new location. The 302 Saved HTTP greeting state cypher can be victimised for this intention. The HTTP activity status encrypt 302 Institute is a average way of performing URL redirection. Attackers ofttimes use true HTTP functions specified as HTTP redirects to take out their attacks. Therefore, instrument analysts should see how a office specified as HTTP redirection works and how it can be misused during attacks.
An HTTP response with the 302 Launch state code will also offer a URL in the activity line parcel. The browser interprets the 302 HTTP greeting position write to poor that the requested inventiveness has been temporarily settled to the new activity provided in the greeting. The browser is welcome to make an very content to the new URL that is given in the position land. The HTTP/1.0 restriction (RFC 1945) gives the 302 HTTP salutation position cypher the description “Affected Temporarily.”
A public framework that is old by the attackers to abstain spying, is to obfuscate the communicator from where the malware was downloaded by using a periodical of web redirections. Attackers can use the valid “302 Pioneer” response to make a broadcast of web redirections before the victim’s application is finally redirected to the writer that delivers the employ to the someone’s organization. These junior web sites are also proverbial as gates. The URL of these entrepreneur changes often, same every half-hour or so, to deprive warrant researchers the case to assemble sufficiency entropy to proceed up with significant assault psychotherapy. The use of the gates also adds supererogatory layers which makes it harder to conclude the source of the malware. Using HTTP 302 redirections also eliminates the penury for iFrames or foreign scripts because HTTP 302 redirections are inferior credible to arouse is an representative where an aggressor has compromised a morganatic web situation (representative.com), deed the web parcel to act to the someone’s HTTP communicate to cooperation.information.com/index.php with the 302 Found HTTP activity state codification. This creates a program of HTTP 302 redirects finished the assaulter’s proxies, before the individual’s application is eventually redirected to the attacker’s web industrialist that spreads the malicious apply to the someone.
Shown below is an example where an attacker has compromised a legitimate web site (example.com), causing the web site to respond to the victim’s HTTP request to compromise.example.com/index.php with the 302 Found HTTP response status code. This creates a series of HTTP 302 redirects through the attacker’s proxies, before the victim’s browser is finally redirected to the attacker’s web page that spreads the malicious exploit to the victim.
Whether using an iFrame or HTTP 302 cushioning, the main goal of the attacker is to ensure the victim’s web browser ends up on the attacker’s web page which serves out the malicious exploit to the victim.
The partial Wireshark output below shows the HTTP 302 response where a compromised website is used to redirect the victim.
Countermeasures to attacks using HTTP 302 cushioning include the following:
- Use a service such as Cisco OpenDNS to block the users from accessing malicious web sites.
- Deploy a web proxy security solution, such as the Cisco Web Security Appliance or Cisco Cloud Web Security, to block users from accessing malicious web sites.
- Educate end users on how the browser is redirected to a malicious web page that delivers the exploit to the victim’s machine through a series of HTTP 302 redirections.
Leave a Reply