|
|
|
|
|
|
by nucleardog
4783 days ago
|
|
|
<a href="http://google.com/ onclick="document.location.href='http://www.hackersite.com/>http://google.com/</a>; Oh, so you check that? How about I just position an invisible element overtop of the valid looking link? Or use the click handler to do a preventDefault/setTimeout? The only way I can think of to even remotely feasibly try and catch this is to just track the last URL clicked if it looks like a FQDN, then compare that against the browser's URL on the next document.onready. Of course, if the site has any sort of open redirection, then that's useless. However, after all of this... The attackers can just switch to using links which don't have the FQDN in their label. |
|
|