Dedicated Servers
Moblin
JMSL Numerical Library

IBM® developerWorks
Sun Developer Network
Weekly Newsletter
Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

HTML

RSS

Internet Explorer 6 Hacks And Holes Exposed

By: Mitchell Harper	Search For More Articles! Disclaimer Author Terms
Rating: / 15
2002-02-14

Table of Contents:

Internet Explorer 6 Hacks And Holes Exposed

Mmmmm... gimme cookie!

Site Impersonation: Mixed Identities

Direct file access

Conclusion

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

Internet Explorer 6 Hacks And Holes Exposed - Site Impersonation: Mixed Identities

(Page 3 of 5 )

If you open a new web browser window using JScript in IE6 with something like "http://www.company.com" as the URL, then you'd be pretty sure that the page you're viewing actually comes from that domain, right? It's impossible to change the contents of a web page on another domain isn't it? Are you sure? Absolutely sure? Thought not.

That's right folks, using just a couple of lines of JScript, you can open a new browser window containing the URL of an external site and modify the body of that page: AKA site impersonation.

Create a new page named c:\site_impersonate.html and enter the following code into it:

<html>

<head>

<title> Site Impersonation </title>

<script language="JavaScript">



</script>

</head>

<body bgcolor="#FFFFFF" onLoad="openWin()">

</body>

</html>

Load the page up in IE6 and enter a fully qualified domain name in the popup window (I entered the name of my site, http://www.devarticles.com). Look at what happens when the JScript code opens a new window:

Site impersonation at its best!

Once again, think of all the scenarios where this could threaten your personal security. Next time you click on a link to pay for a credit card purchase and it opens in another window, be 500% sure that the site is who they say they are. To do this, right click in the middle of the page and click the properties option. Make sure the address of the site is actually http://www.payment-gateway.com or whatever the URL of the payment provider is. Here are the properties of the page that we just impersonated:

The properties page of the impersonated site

The properties page of the impersonated site

See how the address points to the script that opened the new window? If you're using IE6, always check the address of a page if you're about to enter sensitive information such as your address, phone number, credit card details, etc.

Next: Direct file access >>

More HTML Articles
More By Mitchell Harper

Comments On: Internet Explorer 6 Hacks And Holes Exposed

>>> Be the FIRST to comment on this article!

HTML ARTICLES

- Tabular Database Forms with HTML
- Using the Find Functions for HTML Database F...
- Sorting for Database Forms with HTML
- Edit and Other Database Form Functions with ...
- More Database Form Functions with HTML
- Database Form Functions with HTML
- Using the HTML Table Element as a Recordset
- Building Single Row Database Forms with HTML
- Introduction to Database Forms with HTML
- Another Look at Animation of Geographical Ma...
- Animation of Geographical Map Regions
- Changing and Moving Pictures with CSS
- Clickable Geographical Map Regions
- Gradient Creation with the HR Element
- Text on HTML Images: Do it Yourself
Find More HTML Articles