Next: Detailing the attack Up: Undetectable hit inflation for Previous: Undetectable hit inflation for
A component of our attack is the "simulated click", in which one Web page (the referrer) causes the user's browser to request another Web page (the target) on another Web site, with a Referer field naming the referrer. Indeed, our attack of Figure 2 consists essentially of two simulated clicks, one from S to R and one from R to T. The preservation of the Referer field is critical for a simulated click (and our attack), and this requirement rules out some of the most straightforward possible implementations: e.g., if the referrer serves a page that "refreshes" the browser to the target page using HTML's <meta> tag (see ), then this retrieves the target page but does not preserve the Referer field. As discussed in Section 1, simulated clicks are already practiced in hit inflation attacks on the Web today. However, presently there seems to be little attempt to hide these simulated clicks from users (e.g., see ), whereas we use techniques to hide simulated clicks from users to limit detectability of our attack and the annoyance caused to users.
One feature that makes simulated clicks possible is that modern browsers transmit Referer information not only for pages requested by explicit user clicks, but also for components embedded in pages like images, and especially subdocuments like frames and layers (see, e.g.,  for an introduction to these constructs in HTML). For example, the Web page containing a layer is named in the Referer header of the request for the document contained in the layer, even though no user clicks are involved when the layer contents are retrieved. Therefore, a simple and effective simulated click can be achieved for Netscape Navigator 4.x (NN4) and Microsoft Internet Explorer 4.x (IE4) if the referring site serves a page with a layer that contains the target page (NN3 and IE3 do not support layers). To hide this simulated click from the user, the layer containing the target page can be made of zero size, or stacked below the containing document so that it is invisible to the user. Another form of simulated click can be achieved using frames with IE3 and IE4, since these browsers report the document containing a frameset as the Referer for the documents in each of the frames. Thus, a referrer can create an invisible, simulated click to a target by serving a page that contains a frameset with a zero-size frame that loads the target page. Interestingly, NN3 and NN4 report the Referer of the page containing the frameset as the Referer for each of the documents in the frames. Thus, we use layers to conduct a subdocument-based simulated click in NN4. It is somewhat more awkward to perform a subdocument-based simulated click in NN3. In order to use the appropriate form of simulated click, the server can determine the user's browser and version from the User-Agent header in the browser's request.
Next: Detailing the attack Up: Undetectable hit inflation for Previous: Undetectable hit inflation for Mike Reiter