

Introduction Google security team themselves state that "We recognize that the address bar is the only reliable security indicator in modern browsers" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.



In my paper "Bypassing Browser Security Policies For Fun And Profit" I have uncovered various Address Bar Spoofing techniques as well as other bugs affecting modern browsers. In this blog post I would discuss about yet another "Address Bar Spoofing" vulnerability affecting Safari and Edge browser.

Technical Details During my testing, it was observed that both Edge and Safari browser allowed javascript to update the address bar while the page was still loading. Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing.



Edge Browser Address Bar Spoofing (CVE-2018-8383) Google security team themselves state that "" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.In my paper "" I have uncovered various Address Bar Spoofing techniques as well as other bugs affecting modern browsers. In this blog post I would discuss about yet another "" vulnerability affecting Safari and Edge browser.During my testing, it was observed that both Edge and Safari browser allowed javascript to update the address bar while the page was still loading. Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing.

Proof of Concept



Version: Edge Browser 42.17134.1.0









Steps to Reproduce

Disclosure Timelines

Safari Address Bar Spoofing (CVE-2018-4307)

iOS 11.3.1





Proof of Concept





Steps to Reproduce

https://sh3ifu.com/bt/safari

Fix

Disclosure Timelines

Credits





Visit the following link for the vulnerable browser -You will notice that the URL is pointing tohowever the content is hosted onVulnerability was reported to apple and was given 90 days deadline.- Reminder about the 90 days deadline- Microsoft released fix on August Patch Tuesday.- Writeup was released.Safari browser had one constraint which did not allow users to type information into the input boxes while the page was in the loading state. However, we were able to circumvent this restriction by injecting a fake keyboard (which happens to be a very common practice in banking websites).Following are the steps to reproduce it:Visit the following link for the vulnerable browser -You will notice that the URL is pointing to, however the content is hosted on sh3ifu.comUse the virtual keyboard for entering the data onto the form.This issue has been addressed in latest versions of Edge Browser and will be fixed in upcoming Apple safari update.Vulnerability was reported to apple and was given 90 days deadline.- Reminder about the 90 days deadline- End of 90 days deadline- Writeup was released.I am highly indebted to "" from Cure53,"from Microsoft team, "" from rapid7 and "" for their assistance.