Attacking Users - Web IFrames

ATTACKING USERS - WEB IFRAMES

I had always heard the term "attacking the web user" and acknowledged it with a academic understanding. But recently I have had to update my perception as I am seeing for myself how such attacks can cause damage to a company and to a person. I admit freely that my web security skills are not great but I have been motivated to learn more, as I try to get to grips with this. Lets start off with a "thought experiment".

You are browsing a site, and you get to a screen like this..

Now also lets imagine you just happened to also be running a local type of web proxy, say something like fiddler (see here), what you would expect to see is something like this..

All fine and well, as to be expected. Now stop for a bit. Think about if you were a firewall admin, the web proxy admin, whoever would have cause to review traffic. If you had seen this session, you would have seen the user access that webpage. Great. Now lets move forward. Lets assume the initial page was a little different, say it looked like this..

Hmmm. There are 3 Iframes embedded into the page to three popular sites, the actual html code for this is..

<iframe width=200 height=200 src="http://www.google.com"></iframe> <iframe width=200 height=200 src="http://www.yahoo.com"></iframe> <iframe width=200 height=200 src="http://www.tinypic.com"></iframe>

As for your web traffic..

So what we can see, is that without you clicking on anything on the initial page, the site got your browser to intiate connections out to other sites. But so what you ask, I can see it, sure it badly designed, but so what? Lets just tweak the html a bit and try a new page, it looks like this..

Looks a lot like the first screen? But what does your proxy show? Lets take a look..

Interesting. So what we see is that while you saw nothing, your browser still made requests to those 3 sites. This is done very simply by changing the previous code for the iframes to..

<iframe width=0 height=0 src="http://www.google.com"></iframe> <iframe width=0 height=0 src="http://www.yahoo.com"></iframe> <iframe width=0 height=0 src="http://www.tinypic.com"></iframe>

Now lets stop and think again. You are firewall admin and you see this user visiting a banned site, but did he? A user has accessed a malware page, but did he? Or from another point of view, if you can modify the code of a popular site, or even if you are the admin of a popular site, you put a couple of iframes in the code and add in a refresh metatag, point the iframes to a site you want to DOS, and away you go. The target will never see traffic coming from you, since all the client browsers are initiating the sessions. Or say you wanted to push up your online ad revenue, you could point visitors to ad-links, and the users would never know they visited the page and made you a little richer. And have no doubt there are many ways to skin this cat, you could use javascript to accomplish the same thing, except put a delay between each iframe so that not everything is fired off at once. And with the amount of legimate websites getting hacked (google that and have fun reading), things get interesting.

Final Words
I realise this is old hat for many people, but it just once agian brought home to me a couple of things;

Remember you can only check for what you know. If you do not know this, then according to your logs -which do not lie- the user is guilty
Remember attackers go for bulk, if not then no home users would get hit, but we all know that is not true. Everyone is a target.
Be careful what you take as evidence, things can very easily be more then they appear.

As always, try it out, have fun and learn.