4 replies to this topic

[Juza]

This is just a little trick to redirect a link

<a href="http://google.com" onclick="this.href='http://yahoo.com'">Spoof link should go to google</a>

This link in a normal way lead us to google.com, but this is not a normal link, it will redirect you to yahoo.com, this is the "this" magic.

Hope you have learn something!

[Edu]

thanks bud.

only thing is that we wont be able to use it on most sites because they do not allow javascript to be put in places where html is allowed and that includes decent e-mail clients.
One would need to find a XSS vulnerability withing the mail client software, webmail, websites, etc... or a way to spoof links without using javascript. An alternative to your code is opening a new window via window.open() javascript instruction. that way you open both URLs.

[Juza]

I didn't know that window.open() do that that! thanks!

One would need to find a XSS vulnerability withing the mail client software, webmail, websites, etc... or a way to spoof links without using javascript.

Yes, the only way to take advantage of it is finding a XSS. I doubt that there is a way to do this with pure html, witch is sad xD.

[Edu]

nothing is impossible man
some people told me it would be impossible to find code execution vulnerabilities in Microsoft Notepad due to its simplicity and what happened?...I found one...hehe not exactly what I wanted due to the level of user interaction (needed to press F1 when a TXT is opened) but still nice.

now...see a way to do what you wish without javascript

<p><a id="eu" href="site-you-wish-to-direct-IE"></a></p> <div> <a href="site-you-wish-to-appear-in-statusbar"> <table> <caption> <a href="site-you-wish-to-appear-in-statusbar"> <label for="eu"> <u style="cursor: pointer; color: blue"> site-you-wish-to-appear-in-statusbar </u> </label> </a> </caption> </table> </a> </div>

[Juza]

nothing is impossible man

I am sure of that!

Great Work!