Government Security
Network Security Resources

Jump to content

Photo

Link Spoof

  • Please log in to reply
4 replies to this topic

#1 Juza

Juza

    Specialist

  • Sergeant Major
  • 149 posts

Posted 08 October 2010 - 11:18 AM

This is just a little trick to redirect a link

<a href="http://google.com" onclick="this.href='http://yahoo.com'">Spoof link should go to google</a>

This link in a normal way lead us to google.com, but this is not a normal link, it will redirect you to yahoo.com, this is the "this" magic.

Hope you have learn something!
Go to iamjuza.blogspot.com
Follow me twitter.com/iamjuza

The true beginning of our end.


#2 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 08 October 2010 - 02:02 PM

thanks bud.

only thing is that we wont be able to use it on most sites because they do not allow javascript to be put in places where html is allowed and that includes decent e-mail clients.
One would need to find a XSS vulnerability withing the mail client software, webmail, websites, etc... or a way to spoof links without using javascript. An alternative to your code is opening a new window via window.open() javascript instruction. that way you open both URLs.
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#3 Juza

Juza

    Specialist

  • Sergeant Major
  • 149 posts

Posted 08 October 2010 - 02:15 PM

I didn't know that window.open() do that that! thanks!

One would need to find a XSS vulnerability withing the mail client software, webmail, websites, etc... or a way to spoof links without using javascript.


Yes, the only way to take advantage of it is finding a XSS. I doubt that there is a way to do this with pure html, witch is sad xD.
Go to iamjuza.blogspot.com
Follow me twitter.com/iamjuza

The true beginning of our end.


#4 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 09 October 2010 - 08:37 AM

nothing is impossible man ;)
some people told me it would be impossible to find code execution vulnerabilities in Microsoft Notepad due to its simplicity and what happened?...I found one...hehe not exactly what I wanted due to the level of user interaction (needed to press F1 when a TXT is opened) but still nice.

now...see a way to do what you wish without javascript ;)

<p><a id="eu" href="site-you-wish-to-direct-IE"></a></p> <div> <a href="site-you-wish-to-appear-in-statusbar"> <table> <caption> <a href="site-you-wish-to-appear-in-statusbar"> <label for="eu"> <u style="cursor: pointer; color: blue"> site-you-wish-to-appear-in-statusbar </u> </label> </a> </caption> </table> </a> </div>

http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#5 Juza

Juza

    Specialist

  • Sergeant Major
  • 149 posts

Posted 09 October 2010 - 01:31 PM

nothing is impossible man ;)


I am sure of that!

Great Work!
Go to iamjuza.blogspot.com
Follow me twitter.com/iamjuza

The true beginning of our end.