[4638] in WWW Security List Archive
Re: Regarding Web Spoofing
daemon@ATHENA.MIT.EDU (Gretchin Lair)
Mon Mar 3 19:34:43 1997
Date: Mon, 3 Mar 1997 14:18:37 -0700 (MST)
From: Gretchin Lair <gretchin@uscolo.edu>
To: www-security@ns2.rutgers.edu
In-Reply-To: <199703030652.OAA20649@relay10.jaring.my>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 3 Mar 1997, Swarup Biswas wrote:
> One of the ways to detect if the web is a spoofed one , is by its URL so I
> just wanted to know is
> there any way one can hide some characters appearing and URL when the
> spoofed page is invoked?
sure, on the surface. use the onmouseOver javascript trick to fool
people -- either put the url you want them to think they're going to, or
put something innocous like, "click here" or "my cousin bob".
but there's nothing you can do to keep your web spoof from their server
logs. a smart sysadmin will pick it up immediately.
one of the weird/cool things about web spoofing is that it works in
"secure" situations, too: if you go to a site which has a blue, whole key
through a web spoof, the key never breaks, because technically, you _do_
go to that site, you just go through the spoof site first. gives an
excellent false sense of security while providing sensetive info to the
spoof site.
gl.
