javascript link spoofing exploit found!

M

mickey

try this page:

<a href="http://google.com"
onclick="this.href='http://yahoo.com'">Spoof link should go to
google</a>

both in IE and Firefox, users see google in the status bar and assume
that it will go to mozilla, but then at the last second, once users
click the link, the browser actually goes to yahoo. of course you can
obfuscate this by making the onclick a function, defined in some
external file. this is dangerous!
 
L

Lee

mickey said:
try this page:

<a href="http://google.com"
onclick="this.href='http://yahoo.com'">Spoof link should go to
google</a>

both in IE and Firefox, users see google in the status bar and assume
that it will go to mozilla, but then at the last second, once users
click the link, the browser actually goes to yahoo. of course you can
obfuscate this by making the onclick a function, defined in some
external file. this is dangerous!
Click to expand...

No more dangerous than any other redirect.
 
T

Thomas 'PointedEars' Lahn

mickey said:
<a href="http://google.com"
onclick="this.href='http://yahoo.com'">Spoof link should go to
google</a>
Click to expand...

It is even simpler and more compatible:

<a href="http://google.com"
onclick="location='http://yahoo.com'; return false;"
Spoof link should go to google</a>
Click to expand...

This is part of DOM Level 0, therefore possible since JavaScript 1.1
(NN3; the DOM was still part of the language then), and IE3 -- both
released in August 1996.
both in IE and Firefox, users see google in the status bar and assume
that it will go to mozilla, but then at the last second, once users
click the link, the browser actually goes to yahoo. of course you can
obfuscate this by making the onclick a function, defined in some
external file. this is dangerous!
Click to expand...

I would call that harmful, but not dangerous (OK, considering the
content of yahoo.com maybe even that :)).

Users should be aware that such is entirely possible with client-side
scripting. Anybody paranoid enough may disable script support where
the problem will disappear. But client-side scripting can provide many
useful features, so vendors should develop a block feature for such
script-kiddie nonsense as they have for hiding the status bar, e.g.;
the question is: how to detect what is a useful redirection and what
is not?

BTW: This is a *news*group. [psf 4.16]


PointedEars
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Synthetic click on link doesn't follow link 2
The best way to disable javascript link shown in status bar? 3
Simple file link or button doesnt work 2
Link OnClick event 1
in a link onclick="someFunction(); return false;" should keep the browser from following the link? 1
OT: What in IE can prevent Javascript from opening new window? 3
Safari 1.3 bug preventDefault() for click on a link 1
disable all href/links when user click a link 4

Staff online

Members online

Total: 33 (members: 2, guests: 31)
Robots: 195

Forum statistics

Threads
473,766
Messages
2,569,569
Members
45,045
Latest member
DRCM

Latest Threads

Top