What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Here's how to test your browser to see if it really tells you where you are!

Vulnerability
Internet Explorer can be fooled by a specially crafted URL (universal resource locator, the thing that shows in the location bar of the browser).

Exploit
A web page or email can have a link for you to click that is something like http://user@domain. The real address to which you would be directed can be hidden by putting a non printing character (%01) before the "@". Internet Explorer doesn't display the rest of the URL. This makes the page appear to be at an entirely different domain. To see if your browser will let you be tricked this way, click on the button below.

This vulnerability test is based upon one provided by the discoverer of this exploit, available from http://www.zapthedingbat.com/security/ex01/vun1.htm  

Solution
Right now (December 22, 2003) Microsoft doesn't have one for IE 5 or 6. You best solution is to run a web browser that doesn't let people trick you. The best bet is Opera, which will warn you of the spoofed URL attempt. It's available at http://www.opera.com. Mozilla from Mozilla.org is free and far safer in many ways than IE, but not as good at handling fake URLs as Opera.

You don't have to uninstall IE (it is essentially impossible to do so.) When you first run Opera or Mozilla, it will ask if you want it to be your default browser. Check yes so your email program doesn't bring up IE when you click on a link.


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

© 2013 Happy Hacker All rights reserved.