<< Back to General Forum   Search

Posts 1 - 12 of 12   
Links in Forums: 6/21/2012 15:20:52


[REGL] Pooh 
Level 60
Report
Is it possible to make a clickable link in a forum that is not the actual URL?

Example from something that may (but doesn't) work per BBC wikipedia page:

[url=http://example.com]Example[/url]
Links in Forums: 6/21/2012 15:57:09


{rp} General Mac 
Level 53
Report
pretty sure you just type it as normal

http://example.com
Links in Forums: 6/21/2012 15:58:11


{rp} General Mac 
Level 53
Report
with no coding bits before and after just the "http://example.com"
Links in Forums: 6/21/2012 16:00:57


Richard Sharpe 
Level 59
Report
Mac, his question was whether you could make a link without showing the actual url but instead having other text be clickable for the link.
Links in Forums: 6/21/2012 16:04:23

Fizzer 
Level 58

Warzone Creator
Report
No, it's currently not possible. I tried to allow it but, surprisingly, I couldn't find any library that did it in a safe manner.
Links in Forums: 6/21/2012 16:37:06


Moros 
Level 50
Report
What is considered safe? I mean, it's just a different line (or lines) of code, how can it be unsafe?
Links in Forums: 6/21/2012 19:00:31

RvW 
Level 46
Report
Do you remember the day the forum turned pink? What happened in that case was that someone (sorry, forgot his username) figured out how to put some code inside his forum post. Your browser doesn't (and, realistically speaking, can't) know that's not supposed to happen so it will happily execute that code.
In that case, the included code was only used to override page layout, but the same technique could be used to do actually malicious stuff (redirecting you to another page, stealing cookies, infecting your browser with malware, ..., the list goes on).



The point about computer security is that problems are almost always caused by bugs. Most (regular) bug will be discovered at some point and then fixed; so far so good.

But when it comes to security-related issues, it's often a bug which is extremely unlikely to ever occur by accident (meaning nobody ever notices it, nobody ever reports it and hence, it never gets fixed). For instance, I bet you've misspelled your username a couple times when trying to enter it, right? But have you ever made the following "typo" on a "username" field?
        Robert'); DROP TABLE Students; --
Probably not right? And if you change anything at all in there (leave out the apostrophe, closing parenthesis and/or semicolon after "Robert", replace "TABLE" by "GRID" or leave out one of the two dashes at the end), nothing bad happens, you'll just get an error.

However, entering exactly that will delete all of the data from the database table called "Students" (and no, unless you have a backup you can't simply hit "undo" to get it back). With normal bugs, you're fighting against back luck, with security bugs, you're fighting against a (potentially highly skilled) human opponent, willing to spend a lot of time and effort on triggering (and then exploiting) a bug.

[Well, on any properly designed site it will cause an error (and quite probably an alert to the administrator / network security department), but on a site put together by someone who doesn't know about proper security, it is remarkably likely the database will happily remove the table.]

WARNING: Actually entering that "name" above on any site which is not your own is (an attempt at) cracking that site and illegal in at least the USA and the Netherlands (and most probably a lot of other countries as well, I just don't know for sure about any others), so I strongly suggest you don't; this is just for explanatory purposes. If you want to know why it works (and why it looks so weird), simply Google "SQL injection". (If you want to know why I used "Robert" as a username, Google "Bobby Tables" and find an awesome webcomic! :p )
Links in Forums: 6/21/2012 20:47:42


J Russell Mikkelsen 
Level 4
Report
WARNING: Actually entering that "name" above on any site which is not your own is (an attempt at) cracking that site and illegal in at least the USA and the Netherlands (and most probably a lot of other countries as well, I just don't know for sure about any others), so I strongly suggest you don't; this is just for explanatory purposes.
You couldn't just give us a made up command?
Links in Forums: 6/21/2012 21:32:57


x 
Level 58
Report
i remember pink day.

i remember.
Links in Forums: 6/22/2012 00:58:24

RvW 
Level 46
Report
You couldn't just give us a made up command?

Yes, I could've. Even thought about it. I decided to give "the real one" for a number of reasons:

  • This is literally all over the Internet; it's very easy to find (try googling "Bobby Tables" for the XKCD comic, or "SQL injection" for in-depth explanations, examples and discussions. In other words, I'm not exactly revealing any secrets.
  • Making up a realistic-yet-broken example would take additional (in my opinion, pointless) effort.
  • Any bored-out-of-his-mind twelve year old can download tools who launch this type of attack automatically, absolutely no actual understanding required (those are called "scriptkiddies"), if just one skilled person makes such a tool available (hint: they do).
  • In contrast, each and every single site needs to employ defences against attacks like this, meaning that every site designer needs to be aware of this issues (and similar ones). Showing how incredibly easy it is might cause one or two fellow WL players who also happen to run websites to get the wakeup call they need to fix their sites.
  • While this is an actual example, on most sites (for instance, any site which' database doesn't have a table called "Students") it will do nothing. I understand this technique enough to protect websites I build against it, but I'm hardly an expert on really using it. Still, even I could've tweaked that example to make it much, much more powerful..., which I deliberately didn't do.
Links in Forums: 6/22/2012 13:41:25

Grzechooo 
Level 30
Report
@RvW
That was me, and yes, this could steal cookies, I even started writing proof of concept of this, but instead I thought it may be cool to have some fun with styling.
Links in Forums: 6/22/2012 14:12:40


Richard Sharpe 
Level 59
Report
Oh how I love XKCD...

Posts 1 - 12 of 12