poof (To Fool)

A Spoofing attack basically means pretending to be someone you are not. There are a wide range of different spoofing attacks however we are only interested in a very simple form (HTTP Spoofing). For a detailed definition of spoofing see http://www.absoluteastronomy.com/topics/Spoofing_attack

In a HTTP Spoof you are pretending to be a logged on user, when infact you are a cheap skate trying to get porn for free biggrin.gif

Http Spoof

HTTP is a pretty simple protocol. It is a simple request/response architecture. HTTP contains a set of headers, these headers are set by your browser when making a request and by the server making a response.

A basic HTTP Request looks like:

GET / HTTP/1.1
Host: www.google.com
Port: 80
Connection: close

However your browser will also typically add the following headers:

User-Agent: The browser model you are using
Http-Referer: The last page you visited
Accept: The content (file) types your browser/PC can accept
Cookie: A cookie header, this is how cookies are passed between client and server

The header we are obviously interested in is the Http-Referer header. Lets have a look at it being used; you will have noticed that some sites will highlight terms that you searched for on google. This is done using the Http-Referer header: When you search google you will have a URL that looks like:

http://www.google.co.uk/search?q=hacking

This will be in the Http-referer header when you click on a link. All the owner of the site has to do to find what you searched for is to look at the Http-Referer header, see if it came from google and look at the q parameter. From this the owner can see that you searched for porn and highlight porn in their text before displaying the page. Neat!

Here is a simple example
http://suda.co.uk/ala/example.php

Http-Referer used for security:

Often adult sites are grouped together and owned by a single site. The administrators like to allow a user to login once to the site and then let them access all of the sites in the group without the user having to log on again. Typically this is done by checking the HTTP-Referer header. You may think that Cookies would be a better way to do this but cookies are domain specific, a browser will not allow a site hosted on one domain to see cookies placed by another domain.

Consider the following:

Visit site A without logging on.
Site A redirects you to Site B to log on
You login
Site B redirects you to site A
You can view the content on Site A.

This is very typical usage of the Http-Referer header for security. How this is working is that site A is checking to HTTP-Referer tag to make sure you have come from a secure location i.e. either the members area of Site B or the members area of Site A.

So how do you spot a HTTP Spoof?

When you login on to a site using your username and password check out the other sites you get free with your username and password. Try accessing these. If you can access them without having to login again you have found a potential spoof.

How to verify a potential HTTP Spoof?

Go to the site that was linked from the main site directly, i.e. copy a link from some content into a new browser window. If it does not let you access the content then we have passed test 1.

Next copy URL of the page with the link to the free site, this will be our HTTP-Referer Header. Copy the link to the free site, this will be our target URL. Enter these two URLs into your favourite spoofing tool and have a go. If it works then post your newly found Spoof at Sammys smile.gif (Note it is worth deleting your cookies before this test, just to make sure).

HTTP Spoofing Tools

Http Spoofing tools are very simple, all they are doing is altering the HTTP-Referer header in your browser. Better tools will also provide a way to manage and store all of your favourite spoofs.

Personally I like to use firefox so I use the following extension:
https://addons.mozilla.org/en-US/firefox/addon/3829

This allows me to alter any HTTP Header that firefox sends. So I just set the HTTP-Referer header to be the correct value and then browser as usual. The only problem is that I have to manage my own spoofs list.