Next: Discussion Up: Undetectable hit inflation for Previous: Simulated clicks
As described in Section 3.1, at a high level our attack consists of two simulated clicks, one from S to R and one from R to T (see Figure 2). However, the nature of these two simulated clicks is quite different. Recall that S and R are collaborating in this attack, and indeed it is important for the attack that in the first simulated click, R recognizes that the simulated click from S is happening (so that it can serve the "attack" version of pageR.html that causes the simulated click to T). On the other hand, in order to make our attack truly undetectable to T, it is important that T be unable to detect that the referral from R is by a simulated click. Because of these conflicting requirements, the two simulated clicks in our attack are conducted via different mechanisms.
The simulated click from S to R, so that R recognizes the simulated click from S, is the easiest to achieve. Since S and R are in collaboration, their webmasters can set up the Web sites so that any request that R receives for pageR.html with a Referer field of pageS.html is by a simulated click from S. This can be ensured if pageS.html has no link to pageR.html that can be clicked by the user. Thus, the subdocument-based approach of Section 3.1, in which the only link to pageR.html is for a layer's contents, for example, is ideally suited for this simulated click.
There is always the possibility that the webmaster of site T will request pageR.html for inspection, and so we remind the reader that for any request for pageR.html that does not name pageS.html as the Referer, R should respond with an innocuous Web page that does not simulate a click to T.
Next: Discussion Up: Undetectable hit inflation for Previous: Simulated clicks Mike Reiter