URL hiding ...

Re: URL hiding ...

.oO(Sarah Tanembaum)
[color=blue]
>test.html:
><script type="text/javascript">
> location = "test.php?name= blah";
></script>
>
>
>test.php
><?php
> name=$_GET['name'];
> echo "Name is: $name";
>?>
>
> From the browser, http://<server name>/test.html, and it will print out
>
> Name is: blah[/color]

Only if the user agent is capable of executing Javascript.
[color=blue]
>Instead of showing http://<server name>/test.html, the URL on the browser
>will show the php script set by "location" in the html file, that is,
>http://<server name>/test.php?name=b lah.[/color]

Yep. It always shows the URL of the current document.
[color=blue]
>Is it possible to hide the redirected url(http://<server
>name>/test.php?name=b lah), instead, display the original
>one(http://<server name>/test.html).[/color]

Nope.

Micha

Re: URL hiding ...

Michael Fesser wrote:[color=blue]
> .oO(Sarah Tanembaum)
>
>[color=green]
>>test.html:
>><script type="text/javascript">
>> location = "test.php?name= blah";
>></script>
>>
>>
>>test.php
>><?php
>> name=$_GET['name'];
>> echo "Name is: $name";
>>?>
>>
>>From the browser, http://<server name>/test.html, and it will print out
>>
>> Name is: blah[/color]
>
>
> Only if the user agent is capable of executing Javascript.
>
>[color=green]
>>Instead of showing http://<server name>/test.html, the URL on the browser
>>will show the php script set by "location" in the html file, that is,
>>http://<server name>/test.php?name=b lah.[/color]
>
>
> Yep. It always shows the URL of the current document.
>
>[color=green]
>>Is it possible to hide the redirected url(http://<server
>>name>/test.php?name=b lah), instead, display the original
>>one(http://<server name>/test.html).[/color]
>
>
> Nope.
>
> Micha[/color]

Thanks Micha, but how does all those registrar does is with their
stealth URL forwarding?

Thanks

Sarah

Re: URL hiding ...

.oO(Sarah Tanembaum)
[color=blue]
>Thanks Micha, but how does all those registrar does is with their
>stealth URL forwarding?[/color]

Not sure what you mean, can you give an example?

Of course one way of "hiding" (at least visually) the address is to use
frames, the browser will then always show the address of the frameset.
But believe me, you don't really want to use frames just for such a
gimmick.

Micha

Re: URL hiding ...

Hi,
Maybe you could give us an example url but I guess they're mainly using
frames : One big frame which takes all the space in the browser (thus you
cannot see there is a frame).
The location displayed in the address bar will then be the one of the
frameset page, not the one of the page actually displayed in the frame.

HTH
--
Mo

"Sarah Tanembaum" <sarahtanembaum @yahoo.com> a écrit dans le message de
news: 3181vgF37bquqU1 @individual.net...[color=blue]
> Michael Fesser wrote:[color=green]
> > .oO(Sarah Tanembaum)
> >
> >[color=darkred]
> >>test.html:
> >><script type="text/javascript">
> >> location = "test.php?name= blah";
> >></script>
> >>
> >>
> >>test.php
> >><?php
> >> name=$_GET['name'];
> >> echo "Name is: $name";
> >>?>
> >>
> >>From the browser, http://<server name>/test.html, and it will print out
> >>
> >> Name is: blah[/color]
> >
> >
> > Only if the user agent is capable of executing Javascript.
> >
> >[color=darkred]
> >>Instead of showing http://<server name>/test.html, the URL on the[/color][/color][/color]
browser[color=blue][color=green][color=darkred]
> >>will show the php script set by "location" in the html file, that is,
> >>http://<server name>/test.php?name=b lah.[/color]
> >
> >
> > Yep. It always shows the URL of the current document.
> >
> >[color=darkred]
> >>Is it possible to hide the redirected url(http://<server
> >>name>/test.php?name=b lah), instead, display the original
> >>one(http://<server name>/test.html).[/color]
> >
> >
> > Nope.
> >
> > Micha[/color]
>
> Thanks Micha, but how does all those registrar does is with their
> stealth URL forwarding?
>
> Thanks
>
> Sarah[/color]

Re: URL hiding ...

Michael Fesser wrote:[color=blue]
> .oO(Sarah Tanembaum)
>
>[color=green]
>>Thanks Micha, but how does all those registrar does is with their
>>stealth URL forwarding?[/color]
>
>
> Not sure what you mean, can you give an example?
>
> Of course one way of "hiding" (at least visually) the address is to use
> frames, the browser will then always show the address of the frameset.
> But believe me, you don't really want to use frames just for such a
> gimmick.
>
> Micha[/color]

Hi Micha, my question is that how those "phishers" does it? The URL
looks like it came from the legitimate domainname but it isn't?

Thanks,

Sarah

Re: URL hiding ...

Most phishers use some sort of trojan or script on your computer that
will ajust the "HOSTS" file (w32 only). By adjusting this host file you
can change the domain name pointers (know anything about DNS?) so the
domain of a site ie. www.example.org will not point to the original
computer hosting the www.example.org domain, but a fake other computer,
owned by the phisher/attacker
Afaik this is not url hiding...

Re: URL hiding ...

In article <1101992568.756 368.187670@f14g 2000cwb.googleg roups.com>,
"Dr. Donald Menzel" <DrMenzel@gmail .com> wrote:

:Most phishers use some sort of trojan or script on your computer that
:will ajust the "HOSTS" file (w32 only).

There are hosts files on Unix and even old Mac computers too (it's just
easier to break into a Microsoft machine).
--
Looks like more of Texas to me.
.... Arizona, where the nights are warm and the roads are straight.

Re: URL hiding ...

Sarah Tanembaum wrote:[color=blue]
> Michael Fesser wrote:
>[color=green]
>> .oO(Sarah Tanembaum)
>>
>>[color=darkred]
>>> Thanks Micha, but how does all those registrar does is with their
>>> stealth URL forwarding?[/color]
>>
>>
>>
>> Not sure what you mean, can you give an example?
>>
>> Of course one way of "hiding" (at least visually) the address is to use
>> frames, the browser will then always show the address of the frameset.
>> But believe me, you don't really want to use frames just for such a
>> gimmick.
>>
>> Micha[/color]
>
>
> Hi Micha, my question is that how those "phishers" does it? The URL
> looks like it came from the legitimate domainname but it isn't?
>
> Thanks,
>
> Sarah[/color]
At one stage they were using a flaw in I.E. by having an invisible
character in the url, something like

http://your.bank.com^@ http://hackers.r.us.ru/

where the ^ was a chr(1) or chr(0) or something. I.E. would display the
first part of the url, but fetch the html from the last part.

This was fixed in a patch a few months back.

Firefox/Mozilla/Opera and other _real_ browsers would fetch the html
from the second part, but display the entire url.


Sacs

Re: URL hiding ...

Sarah Tanembaum wrote:
[color=blue]
> test.html:
> <script type="text/javascript">
> location = "test.php?name= blah";
> </script>
>
>
> test.php
> <?php
> name=$_GET['name'];
> echo "Name is: $name";
> ?>
>
> From the browser, http://<server name>/test.html, and it will print out
>
> Name is: blah
>
> Instead of showing http://<server name>/test.html, the URL on the browser
> will show the php script set by "location" in the html file, that is,
> http://<server name>/test.php?name=b lah.
>
> Is it possible to hide the redirected url(http://<server
> name>/test.php?name=b lah), instead, display the original
> one(http://<server name>/test.html).[/color]

This is bordering on off-topic, but read on if you are running Apache.

You /might/ be able to write an Apache rewrite rule that munges the address
for you, but you'd have to link to the munged address IIRC.

I have a site with a photo gallery and it uses rewrites so I can link to
stuff with nice http://<server>/gallery/album/photoID instead of something
awful like http://<server>/gallery/index.php?album =album&photoID= ID&....

If I link to the ugly URL, the ugly URL is displayed in the browser's
address bar, but if I link to the nice URL, the nice URL is displayed, even
though Apache is really accessing the ugly URL "behind the scenes".

There's probably a way to put in a redirect for UGLY_URL -> NICE_URL in
Apache but I couldn't be stuffed trying to get it all working with rewrite
rules too. YMMV

Cheers,

James
--
You can't hold a man down without staying down with him.
-- Booker T. Washington

Re: URL hiding ...

Sacs <alan_nospam_@w ay.co.nz> wrote:[color=blue]
> At one stage they were using a flaw in I.E. by having an invisible
> character in the url, something like
>
> http://your.bank.com^@ http://hackers.r.us.ru/
>
> where the ^ was a chr(1) or chr(0) or something. I.E. would display the
> first part of the url, but fetch the html from the last part.
>
> This was fixed in a patch a few months back.[/color]

Fixed? You mean: existing functionality got broken on purpose.
[color=blue]
> Firefox/Mozilla/Opera and other _real_ browsers would fetch the html
> from the second part, but display the entire url.[/color]

Are you sure? IMHO the whole URL was used, the URL rfc states that
syntax like: scheme://user:password@h ost/path is prefectly valid in
general. AFAIK all http clients always supported the more general form
even though a http url is defined as http(s)://host/path/...

Re: URL hiding ...

Centurion wrote:[color=blue]
> Sarah Tanembaum wrote:
>
>[color=green]
>>test.html:
>><script type="text/javascript">
>>location = "test.php?name= blah";
>></script>
>>
>>
>>test.php
>><?php
>>name=$_GET['name'];
>>echo "Name is: $name";
>>?>
>>
>> From the browser, http://<server name>/test.html, and it will print out
>>
>>Name is: blah
>>
>>Instead of showing http://<server name>/test.html, the URL on the browser
>>will show the php script set by "location" in the html file, that is,
>>http://<server name>/test.php?name=b lah.
>>
>>Is it possible to hide the redirected url(http://<server
>>name>/test.php?name=b lah), instead, display the original
>>one(http://<server name>/test.html).[/color]
>
>
> This is bordering on off-topic, but read on if you are running Apache.
>
> You /might/ be able to write an Apache rewrite rule that munges the address
> for you, but you'd have to link to the munged address IIRC.
>
> I have a site with a photo gallery and it uses rewrites so I can link to
> stuff with nice http://<server>/gallery/album/photoID instead of something
> awful like http://<server>/gallery/index.php?album =album&photoID= ID&....
>
> If I link to the ugly URL, the ugly URL is displayed in the browser's
> address bar, but if I link to the nice URL, the nice URL is displayed, even
> though Apache is really accessing the ugly URL "behind the scenes".
>
> There's probably a way to put in a redirect for UGLY_URL -> NICE_URL in
> Apache but I couldn't be stuffed trying to get it all working with rewrite
> rules too. YMMV
>
> Cheers,
>
> James[/color]

Hi James, it is not exactly what I'd like to happen, but it's getting
closer, in a sense that, at least we can hide UGLY URL and replace them
with a NICE URL that is easy to remember, pleasing to the eyes, and less
typing. Perhaps you can share what you did with us.

Cheers,

Sarah

Re: URL hiding ...

Daniel Tryba wrote:[color=blue]
> Sacs <alan_nospam_@w ay.co.nz> wrote:
>[color=green]
>>At one stage they were using a flaw in I.E. by having an invisible
>>character in the url, something like
>>
>>http://your.bank.com^@ http://hackers.r.us.ru/
>>
>>where the ^ was a chr(1) or chr(0) or something. I.E. would display the
>>first part of the url, but fetch the html from the last part.
>>
>>This was fixed in a patch a few months back.[/color]
>
>
> Fixed? You mean: existing functionality got broken on purpose.
>
>[color=green]
>>Firefox/Mozilla/Opera and other _real_ browsers would fetch the html
>>from the second part, but display the entire url.[/color]
>
>
> Are you sure? IMHO the whole URL was used, the URL rfc states that
> syntax like: scheme://user:password@h ost/path is prefectly valid in
> general. AFAIK all http clients always supported the more general form
> even though a http url is defined as http(s)://host/path/...
>[/color]
My example wasn't quite correct, the url spoofing trick didn't have the
second http. It was relying on the user:password@h ost functionality,
which is as you say correct and part of the rfc. But it also made use of
a bug within I.E. that wouldn't display anything after a NULL character
in the url.



explained a little clearer here:



Mozilla etc managed to display the full url, which made it fairly
obvious where you were actually browsing.

Sacs

Re: URL hiding ...

.oO(Sarah Tanembaum)
[color=blue]
>Hi James, it is not exactly what I'd like to happen, but it's getting
>closer, in a sense that, at least we can hide UGLY URL and replace them
>with a NICE URL that is easy to remember, pleasing to the eyes, and less
>typing. Perhaps you can share what you did with us.[/color]

mod_rewrite is a beast, it's voodoo. It's powerful, but will definitely
take some time to get warm with it. You should try the official documen-
tation first (make sure you are familiar with regular expressions ...).

Apache 1.3 URL Rewriting Guide


Micha

Re: URL hiding ...

Michael Fesser wrote:[color=blue]
> .oO(Sarah Tanembaum)
>
>[color=green]
>>Hi James, it is not exactly what I'd like to happen, but it's getting
>>closer, in a sense that, at least we can hide UGLY URL and replace them
>>with a NICE URL that is easy to remember, pleasing to the eyes, and less
>>typing. Perhaps you can share what you did with us.[/color]
>
>
> mod_rewrite is a beast, it's voodoo. It's powerful, but will definitely
> take some time to get warm with it. You should try the official documen-
> tation first (make sure you are familiar with regular expressions ...).
>
> Apache 1.3 URL Rewriting Guide
> http://httpd.apache.org/docs/misc/rewriteguide.html
>
> Micha[/color]

Dear Micha, can you elaborate more of why it's voodoo and/or powerful?
Thanks