Security risk: The trick behind camouflaged links

[SFSxOI]

Ok folks, you completely misunderstand. I'm taking about java in some context, script or not, being used on the web site in the original thread starters supplied link. You guys are taking it completely out of context. Sure, you can reproduce this locally, sure there are other methods that can be used to reproduce this on web sites and java does not need to be used. I'm taking specifically about how its done in the specific link on the specific web site in which java is involved in some fashion (even with java orientated java script). In that context of what i'm speaking about, I am 100% correct.

[SFSxOI]

Oh sigh... i'm talking about it being used on the web site.

So, if my web site doesn't have Java installed/running and I solely use that JavaScript snippet in a HTM page there, would you then believe it's nothing to do with Java? You do know that Java <> JavaScript, right?

yes, i'm aware that Java <> (exactly) Java script. Its java orientated though and still exploitable as the web site in the original posters link demonstrates. When I talk about java in this respect i'm talking about any aspect to do with java, even java orientated or based scripting because from an exploit aspect they are one and the same. When I say to 'uninstall' Java i'm talking about uninstalling java in any aspect even not using the scripting, because from an exploit aspect its one and the same. Sure, there are other methods that can be used other than java script and such poisoned links are not new in the history of the internet but java exploits (in any flavor scripting or not), but that's not the point, the point is its some form of java or java orientated method involved being used here in the link provided. You guys are branching off into 'what if' and 'no you are wrong because I can do this', it doesn't matter what you can or can not do contrary because you are not using the actual conditions that exists and the actual conditions are what the link in the original posters provided link does so you are wrong in trying to apply a different context and then say it does not exist and are only fooling yourself. The fact remains that java in some form is used (even if its scripting only in the link, which from appearances it is but it really isn't but i'm not even going to bother to go into showing you what you can't see in looking at the simple link) and that's what i'm talking about and java is exploitable no matter if its java its self or java script.

[Little John]

I can even reproduce the problem locally on my system, with Java completely removed.

It's not even needed to do so, just looking at the code on that page is more than enough.

Yes, I know. Doing so was an act of desperation, since I had a slight hope, that that could convince SFSxOI that the problem is not caused by some mystic influence of Java on the connection chain.

[Little John]

Going back to normal discussion now ...

Interesting, thanks for the tip!
However, a malicious web page could additionally just disallow right-click, couldn't it?

Certainly, you see that often in "normal" web sites when they fear you can stole something from them using "save as".
A site which does that with the clear intention of limit the browser functionality is no better then a malware IMO. And rub me the wrong way.
So, if the "open in another tab/window" does not work, this should ring a small alarm bell and you can leave the site in disgust or if you are really curios you can disable javascript and continue for what it's possible.
The idea should be: you browse relaxed (never completely, this is the real world) on a well known site you trust, and when visiting a dubious site you switch mind and start to double check what you do, inspect the links, inspect the source and so on.

Anyway, the "open in another tab/window" is something even a normal user without any particular knowledge can keep in his back of tricks, and can help in this case. So it's nice to know I think.

Yes, I absolutely agree. Well put!

[Danilo]

- Java is not JavaScript - tell your friends!

The only real similarity with Java is in the first four characters of the name.

- Java vs. JavaScript: Similarities and Differences

Java and JavaScript are Still Two Different Animals

- What's the difference between JavaScript and Java?

Java and Javascript are similar like Car and Carpet are similar.
I prefer the version about ham and hamster.

[Little John]

Java and Javascript are similar like Car and Carpet are similar.
I prefer the version about ham and hamster.