Redirected users could be confused into thinking that they were visiting a trusted website when they are in fact accessing an attacker-controlled website. This attack is often used to trick victims into downloading a malicious extension, signing into their social media accounts, downloading a malicious file, installing a malicious plugin, etc.





Redirected users could be confused into thinking that they were visiting a trusted website when they are in fact accessing an attacker-controlled website. This attack is often used to trick victims into downloading a malicious extension, signing into their social media accounts, downloading a malicious file, installing a malicious plugin, etc. Redirected users could be confused into thinking that they were visiting a trusted website when they are in fact accessing an attacker-controlled website. This attack is often used to trick victims into downloading a malicious extension, signing into their social media accounts, downloading a malicious file, installing a malicious plugin, etc. Redirected users could be confused into thinking that they were visiting a trusted website when they are in fact accessing an attacker-controlled website. This attack is often used to trick victims into downloading a malicious extension, signing into their social media accounts, downloading a malicious file, installing a malicious plugin, etc

CVE-2023-36211

This attack is often used to redirect victims' browsers to a malicious website. The attacker could also use this attack to make the victim believe they are visiting a trusted website when, in reality, they are visiting an attacker-controlled website.

How does redirect to fake site help attacker?

Attacker can make users believe they are visiting a trusted website like Facebook when they are actually visiting a fake site. This is done by creating the fake website and then linking it to the real website so that the user thinks they are visiting the actual page. The attacker then uses the redirected traffic to send malware or collect sensitive information from victims.
In some cases, attackers will use redirects to drive traffic that can be used for advertising purposes.

How does HTTP Refused Content Attack work?

This type of attack is often used to trick victims into downloading a malicious extension, signing into their social media accounts, downloading a malicious file, installing a malicious plugin, etc.
This attack is done by an attacker who creates an HTTP server that will redirect the victim to a website the attacker controls. If the HTTP server uses the Allow header in order to allow access on TCP port 80 or 443, the victim's browser will ask for authentication. The web-server will then send back a response with "403 Forbidden" as shown below:
You should note that this is not necessarily indicative of an actual 403 error code as it can be created by any other HTTP code instead of 403 due to any number of reasons including improper authorization. If an attacker has successfully authenticated as an administrator and manages to convince the user they are indeed visiting the site they intended on visiting, they may be tricked into installing software or downloading files from their computer that were deliberately designed by the attacker in order to steal sensitive information, infect their computer with malware or ransomware, or cause further damage.

How do I know if I am vulnerable?

Look for the following in your browser's url bar:
inurl:/install.php?_id=
inurl:/install.php?v=
inurl:/install.php?pid=
The first three may indicate that you have been redirected to an attacker's website and the fourth could indicate that you are installing a batch file or script through your browser. If you are vulnerable, consider changing the default installation location of programs on your computer to a non-directive location like /Program Files/ or /Macintosh HD/Library/Application Support/.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 02:21:00 UTC

References