Hacking the <a> tag in 100 characters

**MentaL** · 27-03-13

Hacking the <a> tag in 100 characters

I found this quite interesting. Given how simple it is to spoof a link you would figure this is a considerable oversight.

**MentaL**

**xDarKyx** · 27-03-13

Firefox seems to have it fixed either.
I've tried it.

**Robert** · 29-03-13

Links to paypal fine for me?

Could be that I've always used NoScript for years now.

**Ron** · 29-03-13

Or, you know, just look at the address bar before you type in anything. lol

**Arcelor** · 29-03-13

Originally Posted by Robert

Links to paypal fine for me?

Could be that I've always used NoScript for years now.

The bug was reported to firefox, opera, chrome. Got fixed.

**EliteGM** · 29-03-13

NoScript probably prevents it too though.

**jMerliN** · 30-03-13

This article is retarded. Why would you change the href on a tag? All you have to do is preventDefault on the event and just set the window location.

Code:

function loljacked(event){
    event.preventDefault();
    window.location = 'http://www.google.com';
}
Array.prototype.slice.call(document.querySelectorAll('a')).forEach(function(link){
  link.addEventListener('click', loljacked);
});

Open your console and run it.

**Jubatus** · 31-03-13

Originally Posted by Arcelor

The bug was reported to firefox, opera, chrome. Got fixed.

No, it works in Google Chrome unless you open it in a new tab.

**myoxe** · 01-04-13

Originally Posted by Jubatus

No, it works in Google Chrome unless you open it in a new tab.

It works on firefox too.

Hacking the <a> tag in 100 characters

Thread Tools

Hacking the <a> tag in 100 characters

Re: Hacking the <a> tag in 100 characters

Re: Hacking the <a> tag in 100 characters

Re: Hacking the <a> tag in 100 characters

Re: Hacking the <a> tag in 100 characters

Re: Hacking the <a> tag in 100 characters

Re: Hacking the <a> tag in 100 characters

Re: Hacking the <a> tag in 100 characters

Re: Hacking the <a> tag in 100 characters

Advertisement