Spoofing any IP address in the Browser Address Bar and link (hyperlink)
by using Arabic Letters in Domain Name and Extension


1. VULNERABILITY DETAILS:
I found a vulnerability allowing to spoof any IP address in the Browser Address Bar and link (hyperlink). The attacker using this vulnerability can register a domain name, and create fake login panel for the router on this domain.

2. PROOF OF CONCEPT:
Step by step:
a) The attacker registers a domain with Arabic Letters (and Arabic Domain Extension ex. شبكة)
b) Next, attacker need to use "Punycode Converter" to convert domain name into "Punycode"
c) Next, attacker need to create link with this scheme:
<a href="http://xn--pgbr3deabc.xn--ngbc5azdabc/HERE_WE_NEED_TO_PUT_SPOOFED_IP/" target="_blank" rel="nofollow">IP Spoofing Link</a>
Example:
<a href="http://xn--pgbr3deabc.xn--ngbc5azdabc/127.0.0.1/" target="_blank" rel="nofollow">IP Spoofing Link</a>

Proof of Concept: Spoofing Link - Open in Browser - http://xn--pgbr3deabc.xn--ngbc5azdabc/127.0.0.1/ (this is not my domain, I only use it for example)

You can change domain "xn--pgbr3deabc.xn--ngbc5azdabc", to any domain with Arabic Letters and Arabic Domain Extension.

3. VERSION:
a) PC
Chrome Version: 55.0.2883.75 m (64-bit) STABLE
Operating System: Microsoft Windows 7 SP1
b) Mobile
Chrome Version: 54.0.2840.85 m STABLE
Operating System: Android 6.0.1; E5823 Build/32.2.A.0.305

 

Deleted: spoofing_link_poc.html 254 bytes

spoofing_link_poc.html 254 bytes View Download