|
Internet Explorer URL Redirection |
 |
|
Written by Eric
|
|
Sunday, 11 September 2005 15:38 |
Internet Explorer is susceptible to a tricky form of web redirection which can fool users into believing they are at a site they are not. This is not so much a vulnerability as a problem of recognizing the URL in the address bar. Here are a few tips, both on how to do this and how to spot it. - A HTTP URL string can have an @ symbol in it. This is where the problem comes in. A person wishing to mislead others can type an address such as http://
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
/index.php which many users would think is going to Citibank but in fact goes to shadowlair.com. All browsers are vulnerable to this. The reason the @ is allowed is because logins can be done via it. An example would be http://user:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.
- If you see an @ in the web address and aren't sure why it is there don't trust the site you are going to.
- For those who are interested in even more secretive means of doing the above, check out this link. You can enter an IP address and convert it to decimal notation. Internet Explorer 5.5 and lower can read this notation and go to it. If you are using IE try going to http://1109696938.
- If you put these methods together you can have an address such as http://www.citibank.com@1113404855. This will only work in Internet Explorer 5.5 or lower. The above address to the untrained eye appears to goto citibank but once again it goes to shadowlair.com.
|
|
Last Updated on Saturday, 14 January 2006 05:52 |