Comments on: Anatomy of a Google 302 Redirect Hijack http://www.habdas.org/2009/10/18/google-302-redirect-hijack/ The technical blog of Josh Habdas Sun, 05 Sep 2010 20:28:01 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Josh http://www.habdas.org/2009/10/18/google-302-redirect-hijack/comment-page-1/#comment-2462 Josh Tue, 10 Aug 2010 23:36:24 +0000 http://www.habdas.org/?p=921#comment-2462 The redirect method with a "/" should take you to the application root. If as you say the redirect to the root directory results in a page hijack then I'd start checking the IIS configuration to determine which location was specified as the application root. If it is an unexpected location, set it back to something you would expect and investigate the target location for unexpected files. Otherwise, please continue reading up. Regardless of what you find it would be wise to immediately start auditing the security of the server, tightening up the firewalls and scanning for viruses. The redirect method with a “/” should take you to the application root. If as you say the redirect to the root directory results in a page hijack then I’d start checking the IIS configuration to determine which location was specified as the application root. If it is an unexpected location, set it back to something you would expect and investigate the target location for unexpected files. Otherwise, please continue reading up. Regardless of what you find it would be wise to immediately start auditing the security of the server, tightening up the firewalls and scanning for viruses.

]]> By: Eric http://www.habdas.org/2009/10/18/google-302-redirect-hijack/comment-page-1/#comment-1424 Eric Tue, 27 Apr 2010 16:36:51 +0000 http://www.habdas.org/?p=921#comment-1424 I found this post because I was searching for information regarding a type of hijacking I just encountered. The site is on IIS with ASP, which I am not as familiar with as LAMP. The site became listed as a Google attack page for downloading software without consent. When I ignored the warning, my browser was immediately redirected to the top-anti-spyware site and began downloading. Long story short, I found this code in the default.asp file that should have loaded the site: <code>Response.redirect("/")</code> When I swapped this default file with a correct default file, the redirect no longer occurred. Any idea how this would trigger a redirect to a completely different site? TO me this appears to be a meaningless directive. Under normal circumstances, what should a single slash do? (If you're interested in this particular exploit and would like to know more, feel free to email me). I found this post because I was searching for information regarding a type of hijacking I just encountered. The site is on IIS with ASP, which I am not as familiar with as LAMP. The site became listed as a Google attack page for downloading software without consent. When I ignored the warning, my browser was immediately redirected to the top-anti-spyware site and began downloading.

Long story short, I found this code in the default.asp file that should have loaded the site:

Response.redirect("/")

When I swapped this default file with a correct default file, the redirect no longer occurred.

Any idea how this would trigger a redirect to a completely different site? TO me this appears to be a meaningless directive. Under normal circumstances, what should a single slash do?

(If you’re interested in this particular exploit and would like to know more, feel free to email me).

]]> By: Josh http://www.habdas.org/2009/10/18/google-302-redirect-hijack/comment-page-1/#comment-936 Josh Sun, 06 Dec 2009 05:55:22 +0000 http://www.habdas.org/?p=921#comment-936 @Taylor: Not sure as I was not able to recreate the Chrome issues with any consistency. My thought was that the issues might possibly be caused as a result of using browser controls during chrome animations, such as pressing the back button while the file download notification was being displayed at the window bottom. Please let us know if you come across additional information or fine a way to reliably reproduce the issue. Thanks! @Taylor: Not sure as I was not able to recreate the Chrome issues with any consistency. My thought was that the issues might possibly be caused as a result of using browser controls during chrome animations, such as pressing the back button while the file download notification was being displayed at the window bottom. Please let us know if you come across additional information or fine a way to reliably reproduce the issue. Thanks!

]]> By: Taylor http://www.habdas.org/2009/10/18/google-302-redirect-hijack/comment-page-1/#comment-924 Taylor Mon, 30 Nov 2009 19:55:20 +0000 http://www.habdas.org/?p=921#comment-924 I've noticed the same problem with Chrome. Disturbing... any ideas on how to fix yet? I’ve noticed the same problem with Chrome. Disturbing… any ideas on how to fix yet?

]]>