Shoutbox

quote:

---

Originally posted by Burningmace
That is unlikely to fool anyone. The file size will be completely wrong.

---

So modify the Content-Length header too?! (or pad out your virus's executable)

quote:

---

Originally posted by Burningmace
the download isn't that easy to catch (content-disposition isn't always set and some sites will have blablabla.exe as their request but will return a content-type of text/plain)

---

... no.

If the Content-Type is text/plain the browser will display the contents in the window and not download it unless the Content-Disposition exists, in which case it will ignore the Content-Type and download it.

http://gifpaste.org/test.php?x=1

code:

---

        header("Content-Type: text/plain");
        header("Content-Disposition: attachment; filename=test.bin");

---

Ignores the text/plain header and prompts the user to download test.bin.

http://gifpaste.org/test.php?x=2

code:

---

        header("Content-Type: application/x-msdownload");

---

Prompts the user to download it using a default filename, so in this rare case you could detect the specific Content-Types related to the downloading of executable files (application/x-msdownload in this case).

http://gifpaste.org/test.php?x=3

code:

---

        header("Content-Type: text/plain");

---

Displays the contents of the file in the browser. In this case you wouldn't hijack the request.

Every website that wants you to download a file will use Content-Disposition if they want the filename to be something that makes sense. This means that Content-Disposition will catch 99% of all HTTP file-download responses.

quote:

---

Originally posted by Burningmace

and the network load would double (one packet from the user to the attacker, another packet from the attacker to the server), thus slowing down the traffic and alerting the user to a problem.

---

Not only is this untrue (the hijacker/attacker modifies the received HTTP packets on the fly, then sends them on, and if they wanted to appear inconspicuous, could even download the original file the user requested) but no normal user would even notice more bandwidth being used.

From the server's perspective, someone is downloading the file requested.

From the user's perspective, they are downloading a file.

You could even take the Content-Length header if you didn't want to rewrite it, and pad out your viral executable with bytes that wouldn't affect its execution so that the browser would report the correct filesize.