Simulated clicks next up previous
Next: Detailing the attack Up: Undetectable hit inflation for Previous: Undetectable hit inflation for

Simulated clicks


A component of our attack is the "simulated click", in which one Web page (the referrer) causes the user's browser to request another Web page (the target) on another Web site, with a Referer field naming the referrer. Indeed, our attack of Figure 2 consists essentially of two simulated clicks, one from S to R and one from R to T. The preservation of the Referer field is critical for a simulated click (and our attack), and this requirement rules out some of the most straightforward possible implementations: e.g., if the referrer serves a page that "refreshes" the browser to the target page using HTML's <meta> tag (see [4]), then this retrieves the target page but does not preserve the Referer field. As discussed in Section 1, simulated clicks are already practiced in hit inflation attacks on the Web today. However, presently there seems to be little attempt to hide these simulated clicks from users (e.g., see [6]), whereas we use techniques to hide simulated clicks from users to limit detectability of our attack and the annoyance caused to users.

One feature that makes simulated clicks possible is that modern browsers transmit Referer information not only for pages requested by explicit user clicks, but also for components embedded in pages like images, and especially subdocuments like frames and layers (see, e.g., [4] for an introduction to these constructs in HTML). For example, the Web page containing a layer is named in the Referer header of the request for the document contained in the layer, even though no user clicks are involved when the layer contents are retrieved. Therefore, a simple and effective simulated click can be achieved for Netscape Navigator 4.x (NN4) and Microsoft Internet Explorer 4.x (IE4) if the referring site serves a page with a layer that contains the target page (NN3 and IE3 do not support layers). To hide this simulated click from the user, the layer containing the target page can be made of zero size, or stacked below the containing document so that it is invisible to the user. Another form of simulated click can be achieved using frames with IE3 and IE4, since these browsers report the document containing a frameset as the Referer for the documents in each of the frames. Thus, a referrer can create an invisible, simulated click to a target by serving a page that contains a frameset with a zero-size frame that loads the target page. Interestingly, NN3 and NN4 report the Referer of the page containing the frameset as the Referer for each of the documents in the frames. Thus, we use layers to conduct a subdocument-based simulated click in NN4. It is somewhat more awkward to perform a subdocument-based simulated click in NN3. In order to use the appropriate form of simulated click, the server can determine the user's browser and version from the User-Agent header in the browser's request.

For reasons that will be described in Section 3.2, these subdocument-based forms of simulated click will not suffice to make our attack as effective as it can be. Rather we will also employ JavaScript for explicitly simulating a click on a link (see, e.g., [2] for more information about JavaScript). When a JavaScript script in a Web page causes this simulated click on one of its own links, the browser behaves as if the user clicked on the link, and thus requests the URL of the link and loads it into the browser. In order to hide this simulated click from the user, the referring page can cause the contents of the "clicked" URL to be loaded into a separate window that lies beneath the user's browser window. Then the referring page can quickly close this window once the referred-to page has started loading, or after a brief duration in which the page should have started loading. The attentive user might notice an additional window indicated on her desktop toolbar for a brief moment, but otherwise this additional window will almost certainly go unnoticed by the random user for the brief period of time in which it is present. And even if the user does notice the additional window, the JavaScript script can still prevent the user from exposing it before it is closed by repeatedly raising the main browser window above it.

The JavaScript mechanism to simulate a click on a link differs slightly from browser to browser, and care must be taken to ensure that this simulated click preserves the Referer field received by the target. In IE4, link objects support the click() method that, when invoked, causes the browser to behave as if a user clicked on the link. Referrer information is preserved, i.e., the document containing the link is reported to the target Web site as the Referer. In NN3 and NN4, as well as in IE3, link objects do not have the convenient click() method. However, using a script to send the browser window to the URL corresponding to the link causes the script's page to be reported as the referrer to the target Web site.

To summarize, the attack that we detail in the following section will use two different forms of simulated clicking. The first employs a subdocument (i.e., layer or frame) form of simulated click in the referring page and will be called a subdocument-based simulated click. The second employs JavaScript and will be called the JavaScript simulated click.

next up previous
Next: Detailing the attack Up: Undetectable hit inflation for Previous: Undetectable hit inflation for
Mike Reiter