Home arrow HTML arrow Page 3 - Internet Explorer 6 Hacks And Holes Exposed
HTML

Internet Explorer 6 Hacks And Holes Exposed


Apparently Microsoft were in a little bit of a rush to get Internet Explorer 6 out the door, and forgot to take that extra bit of time to debug and test it for security cracks and holes. In this article Mitchell talks about the latest security holes found in IE6. He shows you how to test your system for vulnerabilities and also provides links to the relevant patches and more information on the holes.

Author Info:
By: Mitchell Harper
Rating: 5 stars5 stars5 stars5 stars5 stars / 20
February 14, 2002
TABLE OF CONTENTS:
  1. · Internet Explorer 6 Hacks And Holes Exposed
  2. · Mmmmm... gimme cookie!
  3. · Site Impersonation: Mixed Identities
  4. · Direct file access
  5. · Conclusion

print this article
SEARCH DEVARTICLES

Internet Explorer 6 Hacks And Holes Exposed - Site Impersonation: Mixed Identities
(Page 3 of 5 )

If you open a new web browser window using JScript in IE6 with something like "http://www.company.com" as the URL, then you'd be pretty sure that the page you're viewing actually comes from that domain, right? It's impossible to change the contents of a web page on another domain isn't it? Are you sure? Absolutely sure? Thought not.

That's right folks, using just a couple of lines of JScript, you can open a new browser window containing the URL of an external site and modify the body of that page: AKA site impersonation.

Create a new page named c:\site_impersonate.html and enter the following code into it:

<html>

<head>

<title> Site Impersonation </title>

<script language="JavaScript">

<!--

function openWin()

{

url = prompt("Enter a fully qualified domain name:");

win = document.open(url, "urlWin", "top=200, left=200, width=300, height=250, resizable=yes, location=yes, status=yes, toolbar=yes");

win.document.write("You entered the domain name of " + url + ", but I'd rather you see this:<br><br><h1>Hello World!</h1>");

}

-->

</script>

</head>

<body bgcolor="#FFFFFF" onLoad="openWin()">

</body>

</html>


Load the page up in IE6 and enter a fully qualified domain name in the popup window (I entered the name of my site, http://www.devarticles.com). Look at what happens when the JScript code opens a new window:

Site impersonation at its best!

Once again, think of all the scenarios where this could threaten your personal security. Next time you click on a link to pay for a credit card purchase and it opens in another window, be 500% sure that the site is who they say they are. To do this, right click in the middle of the page and click the properties option. Make sure the address of the site is actually http://www.payment-gateway.com or whatever the URL of the payment provider is. Here are the properties of the page that we just impersonated:

The properties page of the impersonated site

See how the address points to the script that opened the new window? If you're using IE6, always check the address of a page if you're about to enter sensitive information such as your address, phone number, credit card details, etc.
blog comments powered by Disqus
HTML ARTICLES

- Does HTML5 Need a Main Element?
- Revisiting the HTML5 vs. Native Debate
- HTML5: Not for Phone Apps?
- HTML5 or Native?
- Job Hunting? Freelancer.com Lists This Quart...
- HTML5 in the News
- Report: HTML5 Mobile Performance Lags
- The Top HTML5 Audio Players
- Top HTML5 Video Tutorials
- HTML5: Reasons to Learn and Use It
- More of the Top Tutorials for HTML5 Forms
- MobileAppWizard Releases HTML5 App Builder
- HTML5 Boilerplate: Working with jQuery and M...
- HTML5 Boilerplate Introduction
- New API Platform for HTML5

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2017 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials