0

I've been asked a question by one of my friends as a brain teaser, is it possible to spoof a referer by injecting a link and then simulating a click? So I decided to try, I tried it with gmail.com and ran this through firebug javascript console.

var headID = document.getElementsByTagName("head")[0];         
var newScript = document.createElement('script');
newScript.type = 'text/javascript';
newScript.src = 'https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js';
headID.appendChild(newScript);

$("#signIn").html('<a href="http://google.com" id="testing">Hmm</a>');
$("#testing").click();

It's interesting tho, first I get an error because it seems that jquery is not loaded fast, but the main important thing is that the element actually doesn't get clicked, any ideas?

Saulius Antanavicius
  • 1,371
  • 6
  • 25
  • 55
  • There is an add-on that can do it: [Tamper Data](https://addons.mozilla.org/en-us/firefox/addon/tamper-data/). Not completely sure what you want to accomplish though. – dualed Dec 31 '12 at 00:53
  • Actually I have that, whole point of this is just to see if it would work if I injected a link via javascript and simulated a click :) – Saulius Antanavicius Dec 31 '12 at 00:55
  • Why wouldn't it? I suppose you understand all this happens at your browser and not in Gmail servers, if that's what you thought – Alexander Dec 31 '12 at 00:56
  • Then running it from the console won't tell you anything as console code has more permissions. – dualed Dec 31 '12 at 00:57
  • Yeah but would the href'ed URL think i'm coming from gmail or not? And how come my JS is not working – Saulius Antanavicius Dec 31 '12 at 00:57
  • Yeah, and? If you want to play around with this, there are easier ways though. `curl --referer` comes to mind – Alexander Dec 31 '12 at 00:59
  • Yes I know all about that, my point still stands about trying this via javascript, but the surprising thing is that if I print $_SERVER on the receiving script, it does not show gmail.com – Saulius Antanavicius Dec 31 '12 at 01:01
  • You might be able to spoof a referrer with a FF modify headers addon – Popnoodles Dec 31 '12 at 01:01
  • By the way, I use a code slightly modified from this template http://joanpiedra.com/jquery/greasemonkey/ to load jQuery in my Greasemonkey scripts. This way you can make sure to run the code only if jQuery was actually loaded and avoid errors. – dualed Dec 31 '12 at 01:19

1 Answers1

1

jQuery's click event isn't actually emulating a real click event. It is merely invoking the click event on the object. Hyperlinks don't (by default) have a click event. Instead of using the jQuery .click function, try using the native javascript .click function.

This works:

document.getElementById("link").click();

This also works:

$("#link")[0].click();

This will not work:

$("#link").click();

Demo it at this jsfiddle

Jason Whitted
  • 4,059
  • 1
  • 16
  • 16