Bug Bounty Tips : URL Spoofing via history.replaceState()

URL Spoofing via history.replaceState()

1 min read

history.replaceState() adalah API JavaScript yang memungkinkan developer mengganti URL di address bar tanpa me-reload halaman. Ini sering digunakan untuk navigasi dinamis di SPA, tapi bisa disalahgunakan untuk URL spoofing.

jika kamu menjalankan script tersebut di browser yang rentan, maka address bar hanya akan menampilkan https://accounts.google.com, padahal sebenarnya URL aslinya adalah https://attacker.com/?..................................https://accounts.google.com.

Trik seperti ini bisa banget diterima di platform bug bounty, lho! Asalkan dampaknya jelas dan bisa menyesatkan pengguna secara visual.

Contoh :

Subscribe to my newsletter

Read articles from zeeagil directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

zeeagil

Hi, I’m a bug bounty hunter and cybersecurity enthusiast who began my journey in 2023. I enjoy exploring and discovering hidden vulnerabilities in browsers, applications, and various platforms—especially those that are rarely examined by others. My focus is on browser and website security issues. I also share my findings and educational content through my YouTube channel, Lazy Cyber Security.