Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
865 Views 4 Replies Latest reply: Nov 14, 2012 9:02 PM by cscoup8 RSS
cscoup8 Newcomer 34 posts since
Nov 13, 2012
Currently Being Moderated

Nov 13, 2012 9:12 PM

block double HTTP 302 redirects

Is there a way to have mwg7 immediately block the response if it sees two HTTP 302 redirects in a row?  Here's the scenario:

 

  1. A user is casually browsing the internet.
  2. Without being aware of it they come across a malicious or compromised web site which does a HTTP 302 redirect to another site
  3. That site in question does yet another HTTP 302 redirect to another site
  4. The final site (I've sometimes even seen a third redirect) is the one that delivers the malicious exploit

 

 

Although HTTP 302 redirects have their purpose on legit web sites, 2 or more redirects in a row is immediately suspicious to me and warrants either outright blocking or a more aggressive filtering policy to be applied.

 

 

See the flowchart here for more details on this infection technique: http://nakedsecurity.sophos.com/2012/07/05/pseudo-random-domain-name-generation- and-blackhole/

  • trishoar Apprentice 60 posts since
    Jan 28, 2010
    Currently Being Moderated
    1. Nov 14, 2012 6:20 AM (in response to cscoup8)
    Re: block double HTTP 302 redirects

    I think this would be a bad idea. I see quite alot of sites that use multiple 302's. For example sourceforge uses them for the download links.

     

    Tris

  • cnewman McAfee SME 40 posts since
    Jan 31, 2011
    Currently Being Moderated
    2. Nov 14, 2012 1:56 PM (in response to trishoar)
    Re: block double HTTP 302 redirects

    I would also add a lot of analytics use redirects. Not google, but some of the other trackers, and while it might be nice from a privacy standpoint, it may also keep a page from loading at all. 

     

    That said, the problem you would have in making a ruleset for this is that all redirects entail a new request and a new 'transaction'. We don't keep a state table for separate requests for the same user/client ip address.

     

    I would say that it's probably theoretically possible, but ill advised.

     

    --CN

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points