Create a Fake HTML Link in Your Site / Buat Link HTML Palsu di Situsmu

26 Apr 2006

174102

Create a Fake HTML Link in Your Site
Buat Link HTML Palsu di Situsmu

Karena mengandung kode2 dalam Bahasa Inggris, jadi harusnya pengunjung yang mau mencoba ini tau Bahasa Inggris. Jadi cukup versi itu saja ya, kali ini.

This page has been mentioned in Digg. Click here if you like this page! By the way, the methods described below is for educational purposes only. Maybe somehow can let web-browser makers know another security measures that can be taken with this kind of trick.

Introduction

Hi! This is a demonstration on how links can deceive you. Try to click any link on the box below. See your status bar or right click and select properties if you still don't believe.

Best Web Browser
http://www.microsoft.com/ie
http://www.google.com/search?q=ie

Best Operating System
http://www.microsoft.com/windows

Best Office Suite
http://www.microsoft.com/office

Best Search Engine
http://www.msn.com

Place your mouse on those links. What do you see in the status bar of your browser? Right-click on the link and select copy to clipboard or similar. What do you get on the clipboard? Is it different from the address you arrive at when you click the link?

It has been tested on IE 6, Firefox 1.5 and Opera 8.
Click here if you want to download the solution directly!

The Trick

The trick is quite simple. Just place an onmousedown event that sets the link address to the new one. So when the user clicks on the link, he/she will go to the new address.

Before:

<A href="http://www.microsoft.com/ie">

After:

<A href="http://www.microsoft.com/ie"
    onmousedown="this.href = 'http://mozilla.org'"
>

Problem 1

When the user goes back to this page, or cancels the loading of the new page, he/she will see the new link address in his/her status bar. So we need to change it back to the old address after the user clicks it.

<A href="http://www.microsoft.com/ie" 
    onmousedown="this.href = 'http://mozilla.org'"
    onclick="this.href = 'http://www.microsoft.com/ie'"
>

Does it work? No! Because the old address will be set again just before the user goes to the new page. So doing this is useless. Hmm, what to do?

Apparently adding a very small delay solves the problem.

<A href="http://www.microsoft.com/ie" 
    onmousedown="this.href = 'http://mozilla.org'"
    onclick="setTimeout(function() { 
        this.href = 'http://www.microsoft.com/ie';
    }, 1)"
>

The "1" above means that the link address will be restored 1 millisecond after the user clicks on the link.

Hurray, the problem is solved!

Problem 2

It's not good to have the old link string mentioned twice. It would be nice if we can just specify it once.

Fine, lets just store the old address before setting the new one. Before that, let's move the event handler outside for more convience. We also add the onclick handler on-the-fly.

linkMap = new Map(); // code is below


function down(obj, e, url) {
    linkMap.put(obj, obj.href);
    obj.href = url;
    obj.onmouseup = obj.onclick = function () {
        up(this);
    };
}

function up(obj) {
    setTimeout(function() {
        obj.href = linkMap.get(obj);
    }, 1);
}

After that, we can make our link much more simple. That is:

<A href="http://www.microsoft.com/ie" 
    onmousedown="down(this, event, 'http://mozilla.org')"
>

Problem 3

When the user right-clicks, the new address is shown instead of the old address.

Hmm, seems we need to filter which click triggers the address change. Just modify the down() function to be like this, which supports left-click and middle-click:

function down(obj, e, url) {
    linkMap.put(obj, obj.href);
    if (!e || !e.which || e.which <= 2) obj.href = url;
    obj.onmouseup = obj.onclick = function () {
        up(this);
    };
}

The !e, !e.which etc is done for the BAD IE browser.

Problem 4

How about keypresses, like for users who navigate links using keyboard?

Fortunately this is not too complicated, just add a onkeydown event that calls the same function as the onmousedown event if the key pressed is 13 (enter) or 32 (space).

function key(obj, e) {
    if (e.keyCode == 13 || e.keyCode == 32) obj.onmousedown(obj);
}

And for the link:

<A href="http://www.microsoft.com/ie" 
    onmousedown="down(this, event, 'http://mozilla.org')"
    onkeydown="key(this, event)"
>

How do I make such links?

1. Insert this code inside <script> tags in your page.

function Map() {
    this.keys = [];
    this.values = [];
    this.count = 0;
    this.put = function (key, value) {
        with (this) {
            for (i=0; i<count; i++) if (keys[i] == key) {
                values[i] = value;
                return;
            }
            keys[count] = key;
            values[count] = value;
            count++;
        }
    }
    this.get = function (key) {
        with (this) for (i=0; i<count; i++) {
            if (keys[i] == key) return values[i];
        }
    }
}

var linkMap = new Map();

function key(obj, e) {
    if (e.keyCode == 13 || e.keyCode == 32) obj.onmousedown(obj);
}

function down(obj, e, url) {
    linkMap.put(obj, obj.href);
    if (!e || !e.which || e.which <= 2) obj.href = url;
    setTimeout(function () {
        window.status = linkMap.get(obj);
    }, 1);
    obj.onmouseup = obj.onkeyup = obj.onclick 
    = obj.onmouseout = function () {
        up(this);
    };
}

function up(obj) {
    setTimeout(function() {
        window.status = obj.href = linkMap.get(obj);
    }, 1);
}

2. Create your links. To create it, use this HTML tags:

<a href="the displayed URL"
   onmousedown="down(this, event, 'the actual destination URL')
   onkeydown="key(this, event)"
>

(Replace the italicized text above with the actual values)

Known Problems

Using the script above, visitor can still visit the original link address by right-clicking and selecting "Open". You can modify it to handle right click, but the new address will be shown in the status bar. Any suggestion is appreciated.
In Opera, you can middle-click on the link and open the old address.
In Firefox, you can hold down the left button to show the new address.

Anyway, majority of the user will only left-click it normally, right?

Conclusion

What is it used for? DON'T FOLLOW THESE SUGGESTIONS!

To trick people. To surprise people that the link they thought was pointing to some site has misled them.
To silently count external link clicks on your web page. E.g. the link is shown as http://yahoo.com but is actually http://yoursite.com/count.php?url=http://yahoo.com
..... just for fun.

Written by: yuku

Related articles:

Memory Usage Test: Firefox 2 & 3, Opera 9, IE 7 / Tes Pemakaian Memori: Firefox 2 & 3, Opera 9, IE 7

di Opera 9 ga jalan.. :p
btw, best web browser harusnya opera 9 lah.. :p

arri [sg], 27 Apr 2006, 0:22 reply

Ass,,,Saya Ibu Siti Di Singapore - Saya Mengutarakan Kalau Saya Menang Togel Lagi,Itu Atas Bantuan NYAI RONGGENG Terimah Kasih Banyak Yaa NYAI YAng Telah Memberikan Angka Jitu Nya Kepada Saya Yaitu 9283 Dan Alhamdulillah Berhasil,Berkat Bantuan NYAI Saya Sudah Bisa Membahagiakan Kedua Orang Tua Saya,Bahkan Semua Hutang-Hutang Saya Bersama Hutan Kedua Orang Tua Saya Semuanya Pada Lunas Dan Bahkan Saya Juga Sudah Bisa Membuka Usaha Kecil-Kecilan,Bagi Anda Yg Ingin Seperti Saya Silahkan Hub Nomor NYAI RONGGENG Di : 085286344499 Atau Klik http://pesugihandukundanagaibasli.blogspot.com Karena Cuma Angka Ghoib NYAI RONGGENG Saja Yg Memberikan Bukti YAng Lain Maa Cuma Menghabiskan Uang Saja,Nomor Ritual NYAI RONGGENG Memang Selalu Tepat Dan TerBukti.

Ibu Siti [--], 6 Jul 2018, 16:22 reply

masih ada yg kurang tuh..
kalo di mouse-nya di arahin ke link-nya, lalu pencet tombol kiri.. jangan di lepas.. kemudian geser ke luar link, baru lepas... Tulisannya ga balik lagi ke awal.. jd masi bs ketauan deh :P lalu jadi ada javascript errornya...

26 [sg], 27 Apr 2006, 15:20 reply

masi kurang juga, klo di firefox ato opera pake open in new tab jadinya malah masuk ke link yg ditunjukin, bukan link yg sharusnya, cobain deh

roti [sg], 28 Apr 2006, 10:11 reply

wahh ^^
ku coba klik kanan tetep aja muncul aslinya?? wah hayo kenapa?
hehehe idenya bagus juga yah!! n analisisnya tajam juga..tapi emang sih biasanya yg akal2an itu banyak bugnya ya :P tapi klo orang biasa mah ga pake ngetes-ngetes klik kiri klik kanan kalo mau buka link..

Derianto Kusuma [id], 29 Apr 2006, 12:46 reply

Wah, bagi orang awam seperti aku, baca ini pusiiiing...
Btw, artikel yang bagus...
Keep going...

Lesmanahadi [id], 29 Apr 2006, 15:28 reply

This is possibly the most retarded how-to i have ever have the displeasure to read. Why the hell do you people bother? FFS

mark [gb], 30 Apr 2006, 15:01 reply

UGH. Way to go, asshats. What a super way for spammers and virus writers to getaround the disabling javascript means of hiding links. Thanks for making the web just a little more treacherous.

Paul [us], 30 Apr 2006, 15:43 reply

yeah, it's official--you're fucksticks. Your little conclusion on why do this is bullshit and you know it. Like Paul said, way to enable the script kiddies.

annoyed [us], 30 Apr 2006, 16:47 reply

To really get it to work, you would have to take into account all of the different ways of opening the link. My natural habit for opening links is to always either right-click and select "Open in new tab", or to middle-click to open in a new tab. If I do either of those, this technique does nothing (well, except make a perfectly ordinary link to Microsoft's website).
An interesting idea, but it isn't really that new. And it still doesn't mask the actual address that it sends you to, so it isn't that different form just a regular text-link (like 'CLICK HERE' or such).
If a person is going to be phished by a fake site without looking at the address bar and making sure they are at the real site, are they really going to be the kind of person for whom this technique would make any difference? These are the same people who would never look in the status bar in the first place to see where they're going.

stipes [us], 30 Apr 2006, 17:18 reply

Doesen't work on Firefox 1.5.0.2
Goes to show how secure Firefox is as compared to IE.
Sharjeel
http://www.sharjeel.net

Sharjeel [in], 30 Apr 2006, 21:48 reply

your Map() is actually already built in JavaScript so you don't have to create your own Map()
var abc = anyObject;
var linkMap = new Object();
linkMap[abc] = anotherObject;
var x = linkMap[abc]; // x is assigned the anotherObject
So now you can remove your Map() class :)

felix_halim [id], 1 May 2006, 3:15 reply

Sorry for mistake in the previous post, the built in map[] in JavaScript seemed to work only if the "key" is a string. So it won't work for your case (storing Object as the key).
The workaround is to dynamically assign unique ID for the tag and put the ID of the element as the "key" instead of the Object to the map... :) but that's sound more complicated than creating your own Map() :)

felix_halim [id], 1 May 2006, 3:38 reply

This is very interesting but I think browser issues will cause way too many problems for this to be effective for very long.

Brian [us], 4 May 2006, 6:17 reply

i always use middle-click at opera

orangbandung [id], 10 May 2006, 2:14 reply

extremely good information, very nice trick

singh [us], 24 Jul 2006, 14:05 reply

Very Good Information..
Yupz.. The best Web Browser is Opera 9..
I think..
Ya.. Informasi yang sangat bagus..
Ya.. Web Browser terbaik adalah Opera 9
Menurutku...

Akira_Tetsuya [id], 16 Apr 2007, 14:31 reply

man.....that was confusing....y don't u just give the cut paste html link....for the above fun...u guys must realise that there are loads of people around having websites without any html or javascript knowledge.....

kakarot [in], 30 May 2007, 10:42 reply

hmm... belum gw coba di kompie gw.. sekarang masih di kopi dulu.. semacam fake hyperlink gt y? browser gw pake firebird ver. 0.7 dengan bahasa defaultnya bahasa jepang.

kuyasaiko [id], 21 Nov 2007, 11:33 reply

extremely good information, very nice trick

BesplatneStvari.biz [ba], 16 Mar 2008, 13:24 reply

Informasi berharga untuk anda. Web yang di perkirakan bakal mengalahkan
Yahoo dan Google yang akan lounching pada tgl 1 Juli 2008 akan
membagikan sebagian sahamnya yang sebesar $ 1,000,000.00 kepada siapa
saja yang bergabung menjadi anggotanya (Free) sebelum tgl 1 Juli 2008.
Ayo buruan gabung untuk mendapatkan saham gratis. FREE to JOIN. all the
world.
KLIK Join Disini http://www.WebUpgrade9.com/shodiqfm

sahabat [id], 9 Jun 2008, 4:42 reply

Rank and rate anything and everything

Rate People Pictures [in], 30 Jul 2008, 9:17 reply

surat [in], 30 Jul 2008, 9:24 reply

Good review bro...!thank ,but it dont work with firefox

nedyasafira [id], 1 Aug 2008, 16:49 reply

yanto [id], 28 Nov 2008, 21:57 reply

It doesnt work, it just redirects exactly to the link that is there.

Jacob [nl], 4 Dec 2008, 13:43 reply

download sepuasnya

friend [us], 15 May 2009, 9:30 reply

wew

gerald [--], 18 Jan 2010, 11:50 reply

NOT WORKING...
I believe this is due to browser safety mechanism to prevent phishing...

anonymous [id], 15 Feb 2010, 0:52 reply

Thank you! This article is great and it was very helpful!!! Keep on writing more articles like these!

Frank [gb], 30 Jun 2010, 20:46 reply

Aduh..puyeng.....btw thanks infonya :)

Pemula [id], 27 Jul 2010, 23:42 reply

mantap, mo nyoba ah, teng kyu,,

tian [id], 12 Oct 2010, 5:48 reply

ohhhh gini toh caranya

rina emot [--], 6 Jun 2012, 9:03 reply

hello

iraq [--], 27 Sep 2012, 13:59 reply

change password

yahoo [--], 24 Nov 2012, 0:49 reply

Te [--], 23 Jan 2018, 0:36 reply

:PPPPP

AAA [--], 20 May 2021, 14:29 reply

Please give rating! :) thank you
hello we have sent you a form to your destination.
we invite you to join this middle school once you graduate
Evelyn Chiu age: 10 grade: 6
Please consider the request we would love to have you for our classes too. if you join you may meet Botex9
Lol just gonna copy and paste this. just ignore my dumb motherfucking ass brain. :) and this was very helpful

@BotsForEducation.ca [eu], 5 Jul 2021, 2:47 reply