http://bilaw.al/2013...characters.html
An interesting phishing exploit, and one I've never heard of. Obviously never going to fool anyone who pays attention to their address bar, but can easily hook even slightly-savvy internet users.
Hacking HTML anchors in 100 characters.
Started by K_N, Mar 20 2013 10:30 PM
2 replies to this topic
#1
K_N
-
- Members
-
- 576 posts
Megabyte
- LocationPhoenix
Posted 20 March 2013 - 10:30 PM
Rumors of my demise have been greatly exaggerated.
#2
Guest_ElatedOwl_*
Guest_ElatedOwl_*
-
- Guests
Posted 21 March 2013 - 07:42 AM
Interesting trick. I'm not entirely sure why he thinks you shouldn't be able to do it, though.
The click event needs to be process before the navigation for sure - think about an ajax app that supports users with javascript disabled. The easiest way to handle it is to use an anchor with a link to the page, then via JS, preventDefault on click so you can load it via ajax instead.
He also discusses that you shouldn't be able to change the href in the click event. What's going to stop someone from changing it on mousedown?
#3
flcl_grim
-
- Members
-
- 182 posts
Kilobyte
Posted 25 March 2013 - 02:17 PM
Phishing with javascript has always been possible.
Luckily, it gets sanitized (most of the time) when it could be a problem.
"Look, dad! I blew something up with the chemistry set!"
And so have we. A thousand times before.
