[Full-Disclosure] Mouseover URL spoof with IE
bkfsec
bkfsec at sdf.lonestar.org
Thu Feb 10 15:01:49 GMT 2005
Martin Stricker wrote:
><a href="http://bad-site.xx/"
>onmouseover="javascript:window.status='http://nice-site.xx';">blah</a>
>If you point your mouse over that link, you'll see "http://nice-site.xx"
>in the status bar, but clicking will lead you to http://bad-site.xx/.
>This is already widely used in spoof e-mails.
>
>[.xx is a ccTLD which, per RFC and ISO standard, will *never* be used,
>so my example domains will never exist. Just a precaution.]
>
>
>
As a side-note...
This action is carried out by the browser's javascript interpreter and,
as such, if you use a browser (like Mozilla) where you can disable the
window.status JS object, this spoofing will not work. (I'm sure that
there are other ways to trick it, perhaps, but this does not work once
it's disabled in the browser.)
-Barry
Full-Disclosure is hosted and sponsored by Secunia.