However, usually the attacker must get an user to click the HTML
injection link to activate the attack. This section briefly discusses how to motivate a
victim to click a link.
For a moment, pretend that you are the attacker. Say that you found an HTML injection
at http://search.engine.com/search?p=, and you devised
an evil script at http://evil.org/e.js. Now all you have to do is get people to click
this link:
http://search.engine.com/search?p=
It??™s truly amazing how many people will actually click the link above, but more
computer-savvy users will quickly identify that clicking the link above will lead to
something bad. Thus, the attacker obscures the link and motivates the user to click
something more enticing.
Obscuring HTML Injection Links
Various methods can be used to obscure links via anchor tags, URL shortening sites,
blogs, and web sites under the attacker??™s control.
The first suggestion is quite simple. Most web applications automatically wrap
anchor tags around URLs to make it easier for the user to follow links. If the attacker can
write his or her own hyperlinks, such as in a webmail application, the attacker could
craft a link like this:
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128