funsec mailing list archives

RE: Empty Home Page, Meta Refresh To Content

From: "Larry Seltzer" <Larry () larryseltzer com>
Date: Sun, 11 Nov 2007 13:21:29 -0500

Thanks. Still looks weird.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com


-----Original Message-----
From: Dr. Neal Krawetz [mailto:hf () hackerfactor com] 
Sent: Sunday, November 11, 2007 11:07 AM
To: Larry Seltzer
Cc: funsec () linuxbox org
Subject: Re: [funsec] Empty Home Page, Meta Refresh To Content

On Sun Nov 11 08:03:37 2007, Larry Seltzer wrote:


While doing research on this malware through ads thing i did what I 
often do, opened a web page into my text editor (TextPad) which loads 
the HTML. I did this to http://www.ynetnews.com/. This is what it
loaded:

                <!-- SystemTeam, Realcommerce ltd. 2006 -->
                <!-- Vadim::20060125 -->
 
                <HTML>
                 <HEAD>
                  <meta http-equiv="Refresh" content="0; 
url=/home/0,7340,L-3083,00.html">
                 </HEAD>
                 <BODY BGCOLOR="#FFFFFF" style='margin:10' scroll=no>
                 </BODY>
                </HTML>
 
That's interesting. The actual page is basically empty, but they use a

Meta Refresh with a 0 delay to load the content.

Why would anyone do this?


Hi Larry,

I cannot speak for them, but there are some real reasons to do this.

For example, the web content provider may not have access to the web
server configuration.  So, if you want "/" to redirect to "/home/..."
then a meta-refresh is one quick way to implement the redirection.

You see this when IT and Webmaster are not the same person and not well
coordinated.  A 3xx redirection would be ideal, but a meta-refresh is a
great workaround.  Another redirection methods uses JavaScript, but then
JavaScript must be enabled.  The final fallback are pages that say "if
you are not redirected, then click here" and rely on the human.

Another reason to use redirection involves bot management.  Many bots
don't set the Referer field (not my spelling error!) and don't use
cookies.  So if you don't want bots crawling your site, you can use a
meta-refresh to access the actual content.  The browser may set the
referer, but will return cookies.
  - Most (all?) versions of Firefox will not set/change the Referer in
    response to a meta-refresh or 3xx redirection, but Opera will.  This
    varies by browser.
  - All browsers (with cookies enabled) will return a cookie.  Have "/"
    set a cookie and redirection, then the cookie will be sent to the
    redirected page.

Similar to bot management, you can use this to track users.

Those are just the ones off the top of my head (where the hair used to
be) and I am sure that there are other reasons.

                                        -Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/
Author of "Introduction to Network Security" (Charles River Media, 2006)
and "Hacking Ubuntu" (Wiley, 2007)


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Empty Home Page, Meta Refresh To Content Larry Seltzer (Nov 11)
- <Possible follow-ups>
- Re: Empty Home Page, Meta Refresh To Content Dr. Neal Krawetz (Nov 11)
  - RE: Empty Home Page, Meta Refresh To Content Larry Seltzer (Nov 11)