Another URL spoofing in at least two browsers has been discovered. It was first reported as a URLspoofing vulnerability in Internet Explorer. Subsequent discussions later revealed that Firefox is also vulnerable.
To create such a bug, start off with a simple link tag: <a href=””> </a>
Then within that tag, include an onClick() event. This event is triggered when the link is clicked. Then use the onClick event to include a Javascript that redirects the browser into a web page of your choice.
As you may have noticed, the redirection is done through Javascript. The redirection script can be modified such that an attacker can employ this to execute custom Javascript of the attacker’s choosing. For example, it could be leveraged to perform a cross-site scripting attack.
And since this is a spoofing bug, it could be used for phishing or luring unsuspecting users into clicking malicious URLs.
Workaround
Disabling Javascript support in your browsers is an effective workaround for this spoofing bug.
Demo
Click on any URLS below for demonstration. See the underlying source code to see how the URL spoofing works. And yes, all links are safe.
Tested on:
To create such a bug, start off with a simple link tag: <a href=””> </a>
Then within that tag, include an onClick() event. This event is triggered when the link is clicked. Then use the onClick event to include a Javascript that redirects the browser into a web page of your choice.
As you may have noticed, the redirection is done through Javascript. The redirection script can be modified such that an attacker can employ this to execute custom Javascript of the attacker’s choosing. For example, it could be leveraged to perform a cross-site scripting attack.
And since this is a spoofing bug, it could be used for phishing or luring unsuspecting users into clicking malicious URLs.
Workaround
Disabling Javascript support in your browsers is an effective workaround for this spoofing bug.
Demo
Click on any URLS below for demonstration. See the underlying source code to see how the URL spoofing works. And yes, all links are safe.
Redirect to trendmicro.com, even though the URL says “http://google.com”
Pop a message box
Pop a message box
Tested on:
- IE 6, Windows XP SP2
- Firefox v1.0.7, Windows XP SP2
