Detailing the attack next up previous
Next: Discussion Up: Undetectable hit inflation for Previous: Simulated clicks

Detailing the attack

 

As described in Section 3.1, at a high level our attack consists of two simulated clicks, one from S to R and one from R to T (see Figure 2). However, the nature of these two simulated clicks is quite different. Recall that S and R are collaborating in this attack, and indeed it is important for the attack that in the first simulated click, R recognizes that the simulated click from S is happening (so that it can serve the "attack" version of pageR.html that causes the simulated click to T). On the other hand, in order to make our attack truly undetectable to T, it is important that T be unable to detect that the referral from R is by a simulated click. Because of these conflicting requirements, the two simulated clicks in our attack are conducted via different mechanisms.

The simulated click from S to R, so that R recognizes the simulated click from S, is the easiest to achieve. Since S and R are in collaboration, their webmasters can set up the Web sites so that any request that R receives for pageR.html with a Referer field of pageS.html is by a simulated click from S. This can be ensured if pageS.html has no link to pageR.html that can be clicked by the user. Thus, the subdocument-based approach of Section 3.1, in which the only link to pageR.html is for a layer's contents, for example, is ideally suited for this simulated click.

The simulated click from R to T is more sensitive, as it is essential that T be unable to detect that the click is simulated. In particular, if JavaScript is enabled in the browser, then a script in pageT.html could detect the subdocument-based simulated click of Section 3.1. Specifically, in current browsers pageT.html can use JavaScript to detect whether it is displayed in a frame. Moreover, in version 4 browsers, pageT.html can use JavaScript to detect the size of its window, layer, or frame, and thus pageT.html can be designed to detect the case when it is displayed in a zero-size frame or layer. For these reasons, pageR.html must test for various conditions when conducting its simulated click and tailor its method of attack to them. Specifically, the simulated click from R to T should occur as follows:

1.
pageR.html first tests if JavaScript is enabled in the browser. If not (i.e., JavaScript is disabled), then it simulates a click to pageT.html using the subdocument-based simulated click of Section 3.1.
2.
If JavaScript is enabled in the browser (and thus pageT.html has greater detection capabilities at its disposal), then pageR.html performs the simulated click using the JavaScript method of Section 3.1 that directs pageT.html to a new window, hidden from the user.

There is always the possibility that the webmaster of site T will request pageR.html for inspection, and so we remind the reader that for any request for pageR.html that does not name pageS.html as the Referer, R should respond with an innocuous Web page that does not simulate a click to T.


next up previous
Next: Discussion Up: Undetectable hit inflation for Previous: Simulated clicks
Mike Reiter
3/9/1999