Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

Apple Safari & Microsoft Edge Browser Address Bar Spoofing - Writeup


Introduction

Google security team themselves state that "We recognize that the address bar is the only reliable security indicator in modern browsers" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.

In my paper "Bypassing Browser Security Policies For Fun And Profit" I have uncovered various Address Bar Spoofing techniques as well as other bugs affecting modern browsers. In this blog post I would discuss about yet another "Address Bar Spoofing" vulnerability affecting Safari and Edge browser.

Technical Details

During my testing, it was observed that both Edge and Safari browser allowed javascript to update the address bar while the page was still loading. Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing.

Edge Browser Address Bar Spoofing (CVE-2018-8383)


Proof of Concept

Version: Edge Browser 42.17134.1.0




Steps to Reproduce


1) Visit the following link for the vulnerable browser - http://sh3ifu.com/bt/Edge-Spoof.html

2) You will notice that the URL is pointing to https://www.gmail.com:8080/, however the content is hosted on sh3ifu.com

Disclosure Timelines

June 2 - Vulnerability was reported to apple and was given 90 days deadline.
Aug 11 - Reminder about the 90 days deadline
Aug 14 - Microsoft released fix on August Patch Tuesday.
Sep 10 - Writeup was released.

Safari Address Bar Spoofing (CVE-2018-4307)

Version: iOS 11.3.1

Proof of Concept



Safari browser had one constraint which did not allow users to type information into the input boxes while the page was in the loading state. However, we were able to circumvent this restriction by injecting a fake keyboard (which happens to be a very common practice in banking websites).

Following are the steps to reproduce it:

Steps to Reproduce

1) Visit the following link for the vulnerable browser - https://sh3ifu.com/bt/safari

2) You will notice that the URL is pointing to https://xyzbank.com:8000//, however the content is hosted on sh3ifu.com

3) Use the virtual keyboard for entering the data onto the form.

Fix

This issue has been addressed in latest versions of  Edge Browser and will be fixed in upcoming Apple safari update.

Disclosure Timelines

June 2 - Vulnerability was reported to apple and was given 90 days deadline.
Aug 14 - Reminder about the 90 days deadline
Aug 31 - End of 90 days deadline
Sep 10 - Writeup was released.

Credits

I am highly indebted to "File Descriptor" from Cure53,"Jun Kokastu" from Microsoft team, "Tod Beardsley" from rapid7 and "Hammad Shamsi" for their assistance.
© 2023 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.