Social Engineering Link

Well, eventully, i started play around with some JS.

I suppose this method is rather old, but i havn't seen it around (strangely)..

The exploit is a simple javascript "onclick" event on an "<a>" tag, which changes the "href" value to another site.

<a href="http://www.good.com" onclick="this.href='http://www.evil.com';">

http://www.good.com</a>

And here's the proof of concept: http://www.good.com enjoy!

Fredrik Nordberg Almroth

Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm one of the Co-Founders of Detectify. I'm working closely together with the swedish firm Young & Skilled. ...Not to forget, I'm the previous founder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me on twitter @Almroot.

11 Comments

1. 

   29/03/2010 @ 12:32

   Kasper Borg Hammer says:

   I wonder why this haven't been fixed yet o_O

2. 

   29/03/2010 @ 12:38

   Fredrik Nordberg Almroth says:

   Yeah i wonder that too.. It's so obvious :S

3. 

   05/04/2010 @ 18:43

   grawr says:

   Probably because people use it to separate JS-users from non-js if they have an AJAX-site etc.

4. 02/05/2010 @ 03:28

   Javascript link redirection « Through the Eyes of Sense says:

   [...] http://h.ackack.net/?p=80 Categories: security Tags: security Comments (0) Trackbacks (0) Leave a comment Trackback [...]

5. 02/05/2010 @ 04:42

   Tweets that mention Social Engineering Link, updated ( ): Well, eventully, i started pla... -- Topsy.com says:

   [...] This post was mentioned on Twitter by AckAck. AckAck said: Social Engineering Link, updated ( http://cli.gs/hzmyB ): Well, eventully, i started pla... [...]

6. 

   02/05/2010 @ 06:28

   Tim says:

   I use noscript and I got redirected to good.com!

   But yes, most people don't use noscript and this seems like a pretty neat little trick.

7. 

   02/05/2010 @ 08:14

   Pedro says:

   Strange enough, it goes to good.com if you open in a new tab and evil.com if you just click (firefox).

8. 

   02/05/2010 @ 10:20

   kb says:

   This is not really a flaw, and a legitimate way to differentiate js from non-js browsing like @grawr said.

   Google does it will all their search results. You can use other methods such as using Download

   However as a webdeveloper I've often wanted to know what js-actions are performed/what binds are in place for a clickable element. So maybe that should be added to modern browsers when hovering over a link since js is so common in interactive websites.

9. 

   02/05/2010 @ 10:22

   kb says:

   Sorry, the html got filtered in my previous post. Intended to demonstrate use of onmouseover/onmouseout attributes to change the status bar of the browser via window.status.

10. 

    02/05/2010 @ 10:56

    max says:

    Hmm, I still go to http://www.good.com here.
    Using Opera 10.53.

11. 

    02/05/2010 @ 15:03

    h3 says:

    I don't see how this is a flaw ..

    I could do something even more evil with jQuery (or even JS alone):

    $('a').click(function(e){ e.preventDefault(); window.location.href = 'http://evil.com'; });

    This is merely a feature.