From be0ef562eb71c93ae99e3fb6c04b7cce96af5761 Mon Sep 17 00:00:00 2001 From: Thomas Espach Date: Tue, 31 Oct 2023 16:19:46 +0000 Subject: [PATCH 1/7] Add simpler test case for address bar spoofing. Rewrites current document without requiring navigation first. Also uses filtered ports, see: https://app.asana.com/0/1177771139624306/1205376531515103/f --- security/spoof-js-page-rewrite-simple.html | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 security/spoof-js-page-rewrite-simple.html diff --git a/security/spoof-js-page-rewrite-simple.html b/security/spoof-js-page-rewrite-simple.html new file mode 100644 index 0000000..6308cfd --- /dev/null +++ b/security/spoof-js-page-rewrite-simple.html @@ -0,0 +1,24 @@ + + + + + + + URL Spoofing - Simple JS page rewrite + + + + +

[Home]

+ + This test will try to confuse the browser to show the wrong domain in the URL bar by rewriting the current page content and loading a URL that will timeout. + + + + + \ No newline at end of file From ec90cbc2f9502e40aa208de952825fddc015f0f1 Mon Sep 17 00:00:00 2001 From: Thomas Espach Date: Tue, 31 Oct 2023 16:49:01 +0000 Subject: [PATCH 2/7] Update formatting. --- security/spoof-js-page-rewrite-simple.html | 26 ++++++++++++---------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/security/spoof-js-page-rewrite-simple.html b/security/spoof-js-page-rewrite-simple.html index 6308cfd..8833802 100644 --- a/security/spoof-js-page-rewrite-simple.html +++ b/security/spoof-js-page-rewrite-simple.html @@ -2,23 +2,25 @@ - - - URL Spoofing - Simple JS page rewrite - + + + URL Spoofing - Simple JS page rewrite + -

[Home]

+

[Home]

- This test will try to confuse the browser to show the wrong domain in the URL bar by rewriting the current page content and loading a URL that will timeout. + This test will try to confuse the browser to show the wrong domain in the URL bar by rewriting the current page + content and loading a URL that will timeout. - + \ No newline at end of file From ed3318e20551cbc50797da05716279b07fe57363 Mon Sep 17 00:00:00 2001 From: Thomas Espach Date: Tue, 31 Oct 2023 16:59:04 +0000 Subject: [PATCH 3/7] Add two more address bar spoofing tests and create directory for related test cases. --- .../spoof-application-scheme.html | 26 +++++++++++++++++++ .../spoof-js-download-url.html | 26 +++++++++++++++++++ .../spoof-js-page-rewrite-simple.html | 0 3 files changed, 52 insertions(+) create mode 100644 security/address-bar-spoofing/spoof-application-scheme.html create mode 100644 security/address-bar-spoofing/spoof-js-download-url.html rename security/{ => address-bar-spoofing}/spoof-js-page-rewrite-simple.html (100%) diff --git a/security/address-bar-spoofing/spoof-application-scheme.html b/security/address-bar-spoofing/spoof-application-scheme.html new file mode 100644 index 0000000..cafbdf0 --- /dev/null +++ b/security/address-bar-spoofing/spoof-application-scheme.html @@ -0,0 +1,26 @@ + + + + + + + URL Spoofing - Unsupported Application Scheme + + + + +

[Home]

+ This test uses an unsupported application scheme and a href target to trick the browser into displaying the href + target as the current address bar value, while actually navigating to an attacker controlled page. + +

Start

+ + + + \ No newline at end of file diff --git a/security/address-bar-spoofing/spoof-js-download-url.html b/security/address-bar-spoofing/spoof-js-download-url.html new file mode 100644 index 0000000..6b85073 --- /dev/null +++ b/security/address-bar-spoofing/spoof-js-download-url.html @@ -0,0 +1,26 @@ + + + + + + + URL Spoofing - Download URL + + + + +

[Home]

+ This test uses a Google hosted download URL for downloading a file to spoof the browser into displaying the download + URL as the current origin while rewriting the document content to spoof the address bar. + + + + \ No newline at end of file diff --git a/security/spoof-js-page-rewrite-simple.html b/security/address-bar-spoofing/spoof-js-page-rewrite-simple.html similarity index 100% rename from security/spoof-js-page-rewrite-simple.html rename to security/address-bar-spoofing/spoof-js-page-rewrite-simple.html From 2eb32a7c8bc7874df8a48de0b075dc3e842f9077 Mon Sep 17 00:00:00 2001 From: Thomas Espach Date: Tue, 31 Oct 2023 17:16:03 +0000 Subject: [PATCH 4/7] Add basic auth test cases for address bar spoofing. --- .../spoof-basicauth-2028.html | 23 ++++++++++++++++++ .../spoof-basicauth-2029.html | 23 ++++++++++++++++++ .../spoof-basicauth-whitespace.html | 24 +++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100644 security/address-bar-spoofing/spoof-basicauth-2028.html create mode 100644 security/address-bar-spoofing/spoof-basicauth-2029.html create mode 100644 security/address-bar-spoofing/spoof-basicauth-whitespace.html diff --git a/security/address-bar-spoofing/spoof-basicauth-2028.html b/security/address-bar-spoofing/spoof-basicauth-2028.html new file mode 100644 index 0000000..97ffecc --- /dev/null +++ b/security/address-bar-spoofing/spoof-basicauth-2028.html @@ -0,0 +1,23 @@ + + + + + + + URL Spoofing - Basic Auth Whitespace (2028) + + + + +

[Home]

+ This test uses a unicode whitespace character (\u2028) inside the username field of the basicauth portion + of the URL to perform an address bar spoofing attack. + + + + \ No newline at end of file diff --git a/security/address-bar-spoofing/spoof-basicauth-2029.html b/security/address-bar-spoofing/spoof-basicauth-2029.html new file mode 100644 index 0000000..8723c7b --- /dev/null +++ b/security/address-bar-spoofing/spoof-basicauth-2029.html @@ -0,0 +1,23 @@ + + + + + + + URL Spoofing - Basic Auth Whitespace (2029) + + + + +

[Home]

+ This test uses a unicode whitespace character (\u2029) inside the username field of the basicauth portion + of the URL to perform an address bar spoofing attack. + + + + \ No newline at end of file diff --git a/security/address-bar-spoofing/spoof-basicauth-whitespace.html b/security/address-bar-spoofing/spoof-basicauth-whitespace.html new file mode 100644 index 0000000..fdb5300 --- /dev/null +++ b/security/address-bar-spoofing/spoof-basicauth-whitespace.html @@ -0,0 +1,24 @@ + + + + + + + URL Spoofing - Basic Auth Whitespace Repeated + + + + +

[Home]

+ This test uses 300 repeated unicode whitespace characters inside the username field of the basicauth portion + of the URL to perform an address bar spoofing attack. + + + + \ No newline at end of file From ff3032d431dc0c2caec2e4d3720135b841fa4980 Mon Sep 17 00:00:00 2001 From: Thomas Espach Date: Tue, 31 Oct 2023 17:54:37 +0000 Subject: [PATCH 5/7] Add test cases for about:blank rewrites, form action attack, base64 encoded document loads and unsupported schemes. --- .../spoof-about-blank-rewrite.html | 28 +++++++++++++++++ .../spoof-form-action.html | 25 +++++++++++++++ .../spoof-open-b64-html.html | 31 +++++++++++++++++++ .../spoof-unsupported-scheme.html | 24 ++++++++++++++ 4 files changed, 108 insertions(+) create mode 100644 security/address-bar-spoofing/spoof-about-blank-rewrite.html create mode 100644 security/address-bar-spoofing/spoof-form-action.html create mode 100644 security/address-bar-spoofing/spoof-open-b64-html.html create mode 100644 security/address-bar-spoofing/spoof-unsupported-scheme.html diff --git a/security/address-bar-spoofing/spoof-about-blank-rewrite.html b/security/address-bar-spoofing/spoof-about-blank-rewrite.html new file mode 100644 index 0000000..02acc4f --- /dev/null +++ b/security/address-bar-spoofing/spoof-about-blank-rewrite.html @@ -0,0 +1,28 @@ + + + + + + + + + + +

[Home]

+ This test will try to confuse the browser to show the wrong domain in the URL bar by opening an about:blank page, + rewriting the content, starting a navigation elsewhere and quickly stopping the + navigation using window.stop(). + + + + \ No newline at end of file diff --git a/security/address-bar-spoofing/spoof-form-action.html b/security/address-bar-spoofing/spoof-form-action.html new file mode 100644 index 0000000..57a9eea --- /dev/null +++ b/security/address-bar-spoofing/spoof-form-action.html @@ -0,0 +1,25 @@ + + + + + + + + URL Spoofing - Redirect Form Action + + + + +

[Home]

+ This test uses a form action on a redirect URL to trick the browser into displaying the + redirect URL as the current address bar value, while trying to remain on the current page. +
+
+ + + \ No newline at end of file diff --git a/security/address-bar-spoofing/spoof-open-b64-html.html b/security/address-bar-spoofing/spoof-open-b64-html.html new file mode 100644 index 0000000..7dc35c5 --- /dev/null +++ b/security/address-bar-spoofing/spoof-open-b64-html.html @@ -0,0 +1,31 @@ + + + + + + + URL Spoofing - Base64 Document Load + + + + +

[Home]

+ + This test will try to confuse the browser to show the wrong domain in the URL bar by loading a static Base64 + encoded document, rewriting the current page, and then navigating to a tel: URL. + + + + + \ No newline at end of file diff --git a/security/address-bar-spoofing/spoof-unsupported-scheme.html b/security/address-bar-spoofing/spoof-unsupported-scheme.html new file mode 100644 index 0000000..197612a --- /dev/null +++ b/security/address-bar-spoofing/spoof-unsupported-scheme.html @@ -0,0 +1,24 @@ + + + + + + + URL Spoofing - Simple Location + + + + +

[Home]

+ + This is the most simple test for URL spoofing. Simply rewrite the current location using an unsupported scheme. + + + + + \ No newline at end of file From afe442f2275f706aea291fe7d54ebcd847c955ce Mon Sep 17 00:00:00 2001 From: Thomas Espach Date: Mon, 6 Nov 2023 15:59:24 +0000 Subject: [PATCH 6/7] * Add links for visibility * Add title and run buttons where missing * Update download URL from Google to something we own --- index.html | 2 +- security/address-bar-spoofing/index.html | 22 +++++++++++++++++++ .../spoof-about-blank-rewrite.html | 1 + .../spoof-form-action.html | 1 + .../spoof-js-download-url.html | 6 ++--- 5 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 security/address-bar-spoofing/index.html diff --git a/index.html b/index.html index 92046bf..06e0c17 100644 --- a/index.html +++ b/index.html @@ -53,8 +53,8 @@

Browser Features

Security

    +
  • Address Bar Spoofing
  • Infinite location.reload() loop
    • -
  • URL Spoofing - JS page rewrite
  • Leak of extension IDs via CSP
  • Detect changes to JS objects in global scope
  • An example phishing page
    • diff --git a/security/address-bar-spoofing/index.html b/security/address-bar-spoofing/index.html new file mode 100644 index 0000000..5ca444a --- /dev/null +++ b/security/address-bar-spoofing/index.html @@ -0,0 +1,22 @@ + + + + + Test Pages - Address Bar Spoofing + + +

    Address Bar Spoofing Pages

    + + + diff --git a/security/address-bar-spoofing/spoof-about-blank-rewrite.html b/security/address-bar-spoofing/spoof-about-blank-rewrite.html index 02acc4f..cc62846 100644 --- a/security/address-bar-spoofing/spoof-about-blank-rewrite.html +++ b/security/address-bar-spoofing/spoof-about-blank-rewrite.html @@ -4,6 +4,7 @@ + About:Blank Rewrite Spoof

    [Home]

    - This test uses a Google hosted download URL for downloading a file to spoof the browser into displaying the download + This test uses a download URL for downloading a file to spoof the browser into displaying the download URL as the current origin while rewriting the document content to spoof the address bar. From ce215fc9bb1b47467b19d22f4add75164944ee6e Mon Sep 17 00:00:00 2001 From: Thomas Espach Date: Tue, 7 Nov 2023 17:36:58 +0000 Subject: [PATCH 7/7] Delete spoof-js-page-rewrite.html --- security/spoof-js-page-rewrite.html | 35 ----------------------------- 1 file changed, 35 deletions(-) delete mode 100644 security/spoof-js-page-rewrite.html diff --git a/security/spoof-js-page-rewrite.html b/security/spoof-js-page-rewrite.html deleted file mode 100644 index bad250d..0000000 --- a/security/spoof-js-page-rewrite.html +++ /dev/null @@ -1,35 +0,0 @@ - - - - - - URL Spoofing - JS page rewrite - - - - -

    [Home]

    - - This test will try to confuse the browser to show wrong domain in the URL bar. - - - - -