HXXP browser protocol

Checking if anyone else has heard of this protocol. It seems to be a method of bypassing security filtering software.

The reason I ask is that we received a security alert with a link hxxp://pastebin.com/###.

Seems very suspicious and want to know if anyone can shed light. Is this a new phishing/malware methodology?

matthew black
california state university, long beach

Using "hxxp" is a common method to prevent auto-linking by various email/IM clients and/or forum software to then require the user to actively copy/paste the URL to get the content.

In the case of a security alert, I could see it being used if the destination is in fact an example of an attack site to prevent someone from inadvertently clicking the link and getting infected.

The reason I ask is that we received a security alert with a link hxxp://pastebin.com/###.

hxxp has been around for a long time. It's a lame hack that was never widely accepted by browsers. The purpose was to have a clickable link that didn't send a referer. (i.e. copy-n-paste) There was a firefox plugin for one-click handling.

All true and commonly used but it's worth mentioning that putting a space
before the *dot TLD* is a better way to prevent auto linking in email/IM
clients since most of them detect the formation URLs by other means rather
than rely on the exitence of http://.

Certainly true, the machine I'm currently responding on runs Apple Mail 5.2 and does turn it in to a link, but since hxxp is an invalid protocol it doesn't do anything useful with it. Clicking the link just gives a "no associated application" error, so the practical result is the same.

Fur further reference, wiki gives the following reasons for hxxp or other similar methods of URL obfuscation:

Some of the uses of this method include:
* to avoid passing the HTTP referrer header which would reveal the referring web site to the target.
* avoiding automated web crawlers from following the links. While effective, legitimate web crawlers can be avoided through the use of a robots exclusion standard on the target web site. To avoid advancing the search engine rank of the target web site, nofollow attributes can be used instead.
* to bypass overzealous link spam protection in, for example, blog comments.
* for making sure that a user doesn't accidentally click on a potentially harmful link, in applications that automatically recognize links in plain text. Examples of this include "not safe for work" links.
* to avoid an application from downloading unwanted files, like advertisements or a malware. The method is directly change all 'http' to 'hxxp' in specific uncompressed .exe or .swf files with a hex editor.