iEntry 10th Anniversary 
Forum Rules 
Search
|
|
||||||
|
||||||
| Index Link To US Private Messages Archive FAQ RSS | ||||||
| Internet Security Discussion Forum This forum is for the discussion of security related issues. If you find a new Phishing scheme, spyware, virus or malicious site - let us know about it. If any of the above found you... here's where you ask for help. |
Share Thread: & Tags
|
||||
|
 |
|
|
LinkBack | Thread Tools | Display Modes |
10-04-2006, 11:16 AM
|
||||
|
||||
The indirect security risk in links.
1. Once you activate a link, there are inherent security risks.
If you know JavaScript (JS) and event handlers written in JS, moving your cursor over a link on a page can be a security risk. 2. Invisible links and security risk. That link may even be invisible (eg. same colour as the background). 3. Why is it a security risk? Because moving your cursor over the link may trigger an event(handler). It is up to your fantasy to imagine what that eventhandler can activate. 4. The risk in getting IBL's (and code) The code that you get e.g. in a request for reciprocal linking may be plain HTML, but it can also be JS. Then, if you do not have an overview of what that code does, there is an inherint security risk in pasting that code into your site. 5. Related WPW posts. URL redirection, URL and browser hijacking. Affiliate link hijacking.
__________________
Mini Network:: Financial information at your fingertips Learn object oriented programming where it started 
|
|
10-04-2006, 12:18 PM
|
||||
|
||||
|
I understand your logic and agree that this is a feasible situation, however, it needs to be pointed out that JS events can be triggered by passive action as well.
It is much more likely that an unsafe event would be triggered with the loading of a page than with a rollover, because this would execute itself immediately and effect everyone who visits the page, whereas an event tied to a rollover would only effect those who initiated the action.
|
|
10-04-2006, 12:24 PM
|
||||
|
||||
|
Excellent post as usual. It is implicit in point 4. above. You made it explicit.
__________________
Mini Network:: Financial information at your fingertips Learn object oriented programming where it started
|
|
10-20-2006, 04:55 PM
|
|||
|
|||
|
I agree that you shouldn't be haphazardly pasting other people's Javascript code into your site -- but it sounds to me (and pardon me here, I'm pretty new to these forums) like you're making an argument against having Javascript enabled in your browser.
Are there any documented cases where hacks have occurred using recent release of Javascript? I haven't heard of any serious attacks being done through Javascript in recent browsers... but I admit I haven't been actively looking into it. So what's wrong with having Javascript enabled? In the case of link-exchanges for SEO purposes... the worst thing that I know is possible is that the code they provide could link to a different web location than you thought it was. Is there some greater security risk here I am missing?
|
|
|
| Thread Tools | |
| Display Modes | |
|
|
|
WebProWorld |
Advertise |
Contact Us |
About |
Forum Rules |
MVP's |
Archive |
Newsletter Archive |
Top |
WebProNews
WebProWorld is an iEntry, Inc. ® site - © 2009 All Rights Reserved Privacy Policy and Legal iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 |
Linear Mode
