2009-05-03 00:05:35

Wed, 15 Oct 08 22:12:58 -0600

Link Spoofing! woo!

A harmless link to yahoo... hover over it and the status bar reads "http://yahoo.com"
Yet, it conceals a devilish secret, simply click the link, and you go to... Google.

Wait, what?
Anyone can make a hyperlink that reads one address as the anchor text and has a different href, but this can spoof the status bar, and even the careless code reader.

To fend off a more careful code-reader, I can do something like a remote function..

There, looking at the code, the only thing different was the id, which could be for any reason, such as a style.

We could be even sneakier by doing something along the lines of

document.links[4]...


to select the item.

If you looked at the source code, you will already know how this works, so for the rest of you, the code is:

<a href="http://yahoo.com" id="fakelink">http://yahoo.com</a>

<script> document.getElementById('fakelink').onclick = function() {
this.href='http://google.com';
}
</script>

I think it's kinda fun to play with.
Can be used in slightly more nefarious schemes such as clickjacking or...rickrolling