&item%3Dq209354@

***tampabay420*** · October 17th, 2002, 07:52 PM

http://www.microsoft.com&item%3Dq209354@

Does the URL above redirect you to whatever URL comes after the '@' or does it tunnel the data through microsoft.com- i'm confused...

http://www.microsoft.com&item%3Dq209...antionline.com

Try it for yourself and keep me posted...

**qwerty_smith** · October 17th, 2002, 07:58 PM

URL 1: the first time: there are no new messages in my box. and then its just white page.
URL 2. antionline home page

***tampabay420*** · October 17th, 2002, 08:06 PM

i don't think you understood my question?

***Guus*** · October 17th, 2002, 08:16 PM

You can authenticate users over http.

instead of typing http://<website> like you would normally, you enter
http://<username>:<password>@<website> (this is mostly used for ftp, for example:
ftp://george:dubya@ftp.whitehouse.gov would authenticate usere 'george' with password 'dubya'

Now, if you want to immitate a site, you do this.

username: wvw.microsoft.com/techdir
password: niftyscript

Let's say your site is wvw.mysite.org

You can combine this to:
nttp\\wvw.microsoft.com/techdir:niftyscript@wvw.mysite.org/spoof.html

***tampabay420*** · October 17th, 2002, 08:26 PM

There is no ":" in the url posted above?

***nebulus200*** · October 17th, 2002, 10:42 PM

Gus, I am trying to follow what you are saying with your example and there are a couple of things I am not quite understanding:

1) @ what exactly is that doing, it almost looks like it is in a way redirecting the traffic to the www.mysite.org, not really sure, which is why I am asking

2) should the .com/techdir:niftyscript have been .com\techdir:niftyscript or does it matter?

3) What would be the intended goal of such a URL? Ie, why should I worry if I see something like that in my logs...You have really fired up my curiosity with this...

/nebulus

EDIT: Or please give me a couple of URL's that I can read up on it myself.

**ntsa** · October 17th, 2002, 11:44 PM

nebulus200 >

The @ sign specifies the that this is a user AT a domian. Think of it like an email address where you have the username part and domain part seperated by an at sign.

In the context of Guus' example above forward slash (/) is part of the username password pair and so is treated as just part of the string. The slash will only work this way because a forward slash (/) would mess up the obfuscation.

Normally you use such a URl to log into a website - it acts exactly the same a a popup authentication window (in that it converts username/pass into Base64 and processes authentication server side).

You could also however play with the url as Guus has done to make it seem to the user that they are linking to the microsoft site when in fact they are linking to the site described after the @ part. In this instance everything before the @ is treated as a username and password for the site designated after the @.

The link http://www.microsoft.com&item%3Dq209...nline.com/</a> is a link to AO, but as AO is not password protected by basic HTTP authentication the site just ignores everything before the @ sign.

Hope that helps - if you want further reading check out the HTTP rfc at w3.org

***tampabay420*** · October 18th, 2002, 01:01 AM

thanx. i should have thought about that. it's a neat 'trick'. i actually found the URL in another 'AO' thread...

***nebulus200*** · October 18th, 2002, 03:53 AM

A big thanks to ntsa and Gus, you learn something new everyday (or at least I try to).

/nebulus

**ntsa** · October 18th, 2002, 07:17 AM

welcome

Thread: &item%3Dq209354@

Thread Tools

Display

&item%3Dq209354@

Posting Permissions