Paid Advertising
web application security lab

Referrer Spam Plus CSS History Equals Effective

It occured to me today as I looked over the referrer spam in my logs that it is particularly ineffective these days. For those of you who aren’t webmasters or don’t look at your logs very often, referrer spam is when spiders connect to your website and send a fake HTTP_REFERER (sic) header that incorrectly tells you that someone is linking to you. Most of the time it’s pretty ineffective, however, with Jeremiah’s CSS history hack, it might be far more useful.

It stands to reason if I’m an administrator of a website I’ve probably been to the homepage at some point in my last browser session. Of course I can turn that off the cross domain leakage with Safe History but no one uses that so the attack is pretty effective. If you know there is a single choke point (like a login page) that the administrator must use that’s even better, as they will have to use it to view their logs.

By verifying that the person looking at the logs is the person viewing the site in the logs the spammer can be sure that the webmaster views their logs and does something with them that may be effective in generating traffic. This is similar to how email spammers put tracking links on their email to watch open rates against particular emails (that’s why you should never auto-render images and you should never use the preview pane as that opens them automatically). Anyway, new attacks using this old hack are always interesting to me.

Comments are closed.