Simple URL spoof in address bar

zeeagilzeeagil
1 min read

Saya menemukan sebuah bug yang sangat sederhana dan mudah direproduksi. Cukup dengan membuka situs milik attacker, lalu dari situ membuka google.com, kemudian coba klik tombol "Back" (navigasi kembali). Jika setelah klik back, URL di address bar tetap menunjukkan google.com, namun konten yang ditampilkan berasal dari situs attacker, maka ini bisa dikategorikan sebagai kerentanan spoofing yang valid.

Contoh skenario eksploitasi:

  1. Korban mengunjungi situs attacker.

  2. Situs attacker membuka https://www.google.com di tab yang sama (misalnya via location.href).

  3. Korban menekan tombol "Back".

  4. Halaman menampilkan konten dari attacker, tetapi address bar masih menampilkan google.com.

0
Subscribe to my newsletter

Read articles from zeeagil directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

zeeagil
zeeagil

Hi, I’m a bug bounty hunter and cybersecurity enthusiast who began my journey in 2023. I enjoy exploring and discovering hidden vulnerabilities in browsers, applications, and various platforms—especially those that are rarely examined by others. My focus is on browser and website security issues. I also share my findings and educational content through my YouTube channel, Lazy Cyber Security.