Hack Like Pro

Web Browser Address Bar Spoofing

55

According to Google, the address bar is the most important security indicator.

The Google security team stated that the address bar is the most important security indicator in modern browsers. This part of the browser supplies both the true identity of the website and verification that you are on the right website.

Eric Lawrence, the author of Fiddler, an HTTP debugging proxy, has written about this feature on his personal blog. In his article, he gave reasons why web developers couldn’t interfere with anything above the webpage window, sometimes referred to as The Line of Death and what problems might occur from this lack of involvement. Despite his efforts to raise awareness, two address bar spoofing incidents took place the same year the blog post was published.

 

Homograph Vulnerability

One of the address bar spoofing incidents was the Homograph vulnerability that took place in April 2017. Using the International Domain Name (IDN) feature, which allows domain names to be written in foreign characters, attackers imitate legitimate domains using characters from various alphabets to trick users. This attack is called a Homograph attack.

For example, the xn--80ak6aa92e.com address would show as “аррӏе.com” due to the IDN, which is virtually indistinguishable from “аpple.com,” even though these are totally different letters that just happen to look the same. Don’t believe us?

  • Copy this а here
  • Paste it into your browser bar, and press Return
  • Did you receive search results for the letter ‘a’ of the Latin alphabet or the Cyrillic script?

However, browser developers took precautions by releasing security patches that prevented this confusing behavior shortly after the discovery of the vulnerability. One tactic was to convert an IDN address into the ASCII format in the address bar, which managed to prevent malicious activity.

Address Bar Spoofing in Microsoft Edge and Safari

The second address bar spoofing incident was discovered by Pakistani researcher Rafay Baloch, who lectures at various conferences, such as Blackhat, on his research about browser security. The address spoofing technique he found affected Microsoft Edge and Safari browsers.

  • While a website redirected its visitor to another website with a closed port, the attacker could intervene and change the content of the current web page however they liked.
  • Since the URL bar already showed the address of the domain with the closed port, users were led to believe that they were browsing a legitimate site instead of an attacker-controlled one and are convinced to enter their credentials.
  • In his proof-of-concept, before redirecting the user to the website with the closed port, Baloch decoded the base64 encoded version of Gmail login page and then added it to the DOM. Therefore the address in the URL (http://gmail.com:8080) and the phishing page looked very convincing. Baloch managed to keep the spoofed address stable by using the setinterval() function that tried to redirect the user every 100 seconds.

The Code Used to Spoof the Web Browser Address Bar

Baloch used the following code for the aforementioned exploit.-

function spoof()
{
var gmail = 'PCFET0NC8+KArOK.........ZHk+PC9odG1sPg=='; // The base64 encoded version of the Gmail page
x=document.body.innerHTML=atob(gmail);
document.write("<title>Gmail</title>");
document.write("x");
window.location.assign("https://www.Gmail.com:8080");
}
setInterval(spoof(),100000);
</script>

The proof-of-concept above was the one working on the Microsoft Edge browsers. The latest security update for Microsoft Edge fixed the vulnerability. Baloch’s tweet announced that Apple also fixed the vulnerability with the release of Safari 12. You can read more about his research on the blog post, Apple Safari, and Microsoft Edge Browser Address Bar Spoofing – Writeup.

Conclusion

The address bar is the main component used by web browsers to navigate the Internet. Users enter the website they wish to visit. Web security-conscious users may watch the changes on the address they enter as the page loads. Attackers are aware of this and, therefore, invent smart ways to deceive the user, such as the Homograph attacks and the vulnerabilities found by Rafay Baloch. Keeping all software, especially web browsers, up to date is crucial to help prevent similar attacks.

Lovepreet Singh
CEO & FOUNDER OF" FIVE RIVERS INCORPORATION - LEADING SOFTWARE & CYBER SECURITY DEVELOPMENT COMPANY" || CERTIFIED ETHICAL HACKER || FUTURE TRILLIONAIRE || FUTURISTIC || "DULL SCHOOL STUDENT" || (Follow this link to message me on WhatsApp: https://wa.me/13018426470)

What is AWS Firecracker for Serverless Computing?

Previous article

Simplifying Kubernetes With Docker Compose and Friends

Next article

You may also like

55 Comments

  1. Can A Puppy Drink Cephalexin Canadianbreez [url=http://cialgeneri.com]cialis[/url] Comprar Cialis Farmacia Sin Receta

  2. Hey this is kinda of off topic but I was wanting to know if blogs use WYSIWYG editors
    or if you have to manually code with HTML. I’m starting a blog soon but have no
    coding experience so I wanted to get advice from someone with experience.
    Any help would be enormously appreciated!

  3. Cialis With Priligy Keflex Antimicrobial Spectrum [url=http://sildenafdosage.com]viagra[/url] Priligy Quanto Tempo Prima Acheter Priligy Au Royaume

  4. I have been browsing online more than 3 hours lately, yet
    I never discovered any attention-grabbing article like yours.
    It’s pretty value sufficient for me. Personally, if all webmasters and bloggers made good content material as you probably did,
    the internet will be a lot more helpful than ever before.

  5. Finasteride Online Mastercard Cephalexin Prgnancy [url=http://buyoxys.com]levitra cheapest price[/url] Kamagra Effetto Collaterale Oral Jelly

Leave a reply

Your email address will not be published. Required fields are marked *