You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "gdwfkd@gmail.com" <gd...@gmail.com> on 2006/11/15 20:14:14 UTC
[users@httpd] Spoofing URLs in the address bar
Is it possible to display a different URL than the actual site that the
browser is contacting in the address portion of a browser? I had thought
the only options for the URL were either the actual site, or the proxy
server site in the instance where you are using a proxy.
I'm asking this as a security question. If a user gets an email and clicks
on a link (the HREF can say anything it wants), is it possible to have the
browser show http://www.citibank.com in the address bar when it's really
connected to some Chinese malware site?
I know that there are exploits out there for IE, but lets assume I've got
fully patched IE or Firefox and that we don't have some bizarre DNS tainting
or the like going on.
Re: [users@httpd] Spoofing URLs in the address bar
Posted by Evan Platt <ev...@espphotography.com>.
At 11:14 AM 11/15/2006, you wrote:
>Is it possible to display a different URL than the actual site that
>the browser is contacting in the address portion of a browser? I
>had thought the only options for the URL were either the actual
>site, or the proxy server site in the instance where you are using a proxy.
>
>I'm asking this as a security question. If a user gets an email and
>clicks on a link (the HREF can say anything it wants), is it
>possible to have the browser show
><http://www.citibank.com>http://www.citibank.com in the address bar
>when it's really connected to some Chinese malware site?
>
>I know that there are exploits out there for IE, but lets assume
>I've got fully patched IE or Firefox and that we don't have some
>bizarre DNS tainting or the like going on.
There's a 'trick' if you will that LOOKS like a address bar.
basically some Java script that makes the browser go to full screen,
then basically has a JPG / GIF on top of a fake address bar.
Or even java script that 'looks' like the address bar, and is clickable.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Spoofing URLs in the address bar
Posted by Joshua Slive <jo...@slive.ca>.
On 11/15/06, Joshua Slive <jo...@slive.ca> wrote:
> On 11/15/06, gdwfkd@gmail.com <gd...@gmail.com> wrote:
> > Is it possible to display a different URL than the actual site that the
> > browser is contacting in the address portion of a browser? I had thought
> > the only options for the URL were either the actual site, or the proxy
> > server site in the instance where you are using a proxy.
> >
> > I'm asking this as a security question. If a user gets an email and clicks
> > on a link (the HREF can say anything it wants), is it possible to have the
> > browser show http://www.citibank.com in the address bar when it's really
> > connected to some Chinese malware site?
> >
> > I know that there are exploits out there for IE, but lets assume I've got
> > fully patched IE or Firefox and that we don't have some bizarre DNS tainting
> > or the like going on.
>
> I'm not sure why this question is here; it has nothing directly to do
> with Apache.
>
> The answer is, excluding browser bugs, it is impossible for someone
> who does not control a site to make that site appear in the location
> bar.
Actually, I guess I should add a couple caveats. This could also be
accomplished if the "attacker" controls the DNS used by the client or
the network between client and server (assuming a non-SSL connection;
if it's an SSL connection, they'd also need to control the client's
certificate authority).
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Spoofing URLs in the address bar
Posted by Joshua Slive <jo...@slive.ca>.
On 11/15/06, gdwfkd@gmail.com <gd...@gmail.com> wrote:
> Is it possible to display a different URL than the actual site that the
> browser is contacting in the address portion of a browser? I had thought
> the only options for the URL were either the actual site, or the proxy
> server site in the instance where you are using a proxy.
>
> I'm asking this as a security question. If a user gets an email and clicks
> on a link (the HREF can say anything it wants), is it possible to have the
> browser show http://www.citibank.com in the address bar when it's really
> connected to some Chinese malware site?
>
> I know that there are exploits out there for IE, but lets assume I've got
> fully patched IE or Firefox and that we don't have some bizarre DNS tainting
> or the like going on.
I'm not sure why this question is here; it has nothing directly to do
with Apache.
The answer is, excluding browser bugs, it is impossible for someone
who does not control a site to make that site appear in the location
bar.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org