Full Disclosure mailing list archives

Re: Mouseover URL spoof with IE

From: bkfsec <bkfsec () sdf lonestar org>
Date: Thu, 10 Feb 2005 10:01:49 -0500

Martin Stricker wrote:

<a href="http://bad-site.xx/";
onmouseover="javascript:window.status='http://nice-site.xx';";>blah</a>
If you point your mouse over that link, you'll see "http://nice-site.xx";
in the status bar, but clicking will lead you to http://bad-site.xx/.
This is already widely used in spoof e-mails.

[.xx is a ccTLD which, per RFC and ISO standard, will *never* be used,
so my example domains will never exist. Just a precaution.]

As a side-note...

This action is carried out by the browser's javascript interpreter and,as such, if you use a browser (like Mozilla) where you can disable thewindow.status JS object, this spoofing will not work. (I'm sure thatthere are other ways to trick it, perhaps, but this does not work onceit's disabled in the browser.)


            -Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Mouseover URL spoof with IE Danny (Feb 09)
- Re: Mouseover URL spoof with IE Valdis . Kletnieks (Feb 09)
- <Possible follow-ups>
- RE: Mouseover URL spoof with IE Thor Larholm (Feb 09)
  - Re: Mouseover URL spoof with IE Danny (Feb 09)
    - Re: Mouseover URL spoof with IE Martin Stricker (Feb 09)
    - Re: Mouseover URL spoof with IE bkfsec (Feb 10)