Home page logo

webappsec logo WebApp Sec mailing list archives

RE: Phishing
From: Adam Lydick <lydickaw () ruffledpenguin org>
Date: Thu, 13 May 2004 21:55:17 -0700

On Wed, 2004-05-12 at 17:26 +0100, Griffiths, Ian wrote:
Some good ideas there Rogan.  I to feel educating users is a large part of this but how far can you go?  Consider 
this (ficticious) URL:
https://secure.bank.com:/logon/12345 () nefarious fraud net/
Fairly easy to set up, completely compliant with protocol, starting with the right thing, looks genuine to the 
untrained eye and yet completely unscrupulous.  I've actually seen something similar in the wild and I'm completely 
sure it works, spotting this takes more than a passing exposure to knowledge of URL composition.

<chop previous message>

I belive that is *not* a valid URL. It happens to work in many browsers,
but it should not (for making social engineering more difficult and RFC
compliance). Check out the bugtraq archives for some more detailed
discussion about this issue.

(The jist of it is -- while the generic description of URLs in an
earlier RFC allows for "user@", the use of it is on a
protocol-by-protocol basis and HTTP urls do not permit its use.)

Adam Lydick

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]