4 Replies Latest reply: Nov 14, 2012 9:02 PM by cscoup8 RSS

    block double HTTP 302 redirects

    cscoup8

      Is there a way to have mwg7 immediately block the response if it sees two HTTP 302 redirects in a row?  Here's the scenario:

       

      1. A user is casually browsing the internet.
      2. Without being aware of it they come across a malicious or compromised web site which does a HTTP 302 redirect to another site
      3. That site in question does yet another HTTP 302 redirect to another site
      4. The final site (I've sometimes even seen a third redirect) is the one that delivers the malicious exploit

       

       

      Although HTTP 302 redirects have their purpose on legit web sites, 2 or more redirects in a row is immediately suspicious to me and warrants either outright blocking or a more aggressive filtering policy to be applied.

       

       

      See the flowchart here for more details on this infection technique: http://nakedsecurity.sophos.com/2012/07/05/pseudo-random-domain-name-generation- and-blackhole/