oss-sec mailing list archives
Re: Google Chrome Address Spoofing (Request For Comment)
From: 0pc0deFR <0pc0defr () gmail com>
Date: Tue, 30 Jun 2015 18:29:07 +0200
Work on Google Chrome Ubuntu. -- Cordialement, Kévin FALCOZ alias 0pc0deFR - Consultant Expert WordPress - http://wordpress-expertise.fr -- Regards, Kévin FALCOZ aka 0pc0deFR - WordPress Expert Consultant - http://wordpress-expertise.fr 2015-06-30 16:04 GMT+02:00 Daniel Micay <danielmicay () gmail com>:
On 30/06/15 09:52 AM, Florian Weimer wrote:On 06/30/2015 03:45 PM, Daniel Micay wrote:It does display a window with the oracle.com address, but I don't understand why you've got an ever increasing number of setTimeout events built in here. It's also unclear what you mean about click-to-verify. Is this bypassing a warning prompt by breaking it with a flood of requests?I have not tried this, but here's some context: Most browsers have issues where they do not update the URL bar when content from a different is shown (i.e., the update happens to late), or they show the new URL while still displaying old content (update too late). I've seen such discrepancies with Firefox, but I don't know if it's still present in current versions. If such bugs are present, freezing browsers while they are showing inconsistent content (hence the DoS attempt) could lead the user to attribute content to the incorrect site.Ah, that makes sense. It seems to depend on a race condition so it makes sense that it can't always be replicated. I've tried it a few times and it fails about as often as it works. I have a feeling that the proof of concept was the whole issue report and it just happened to fail for whoever tested it.
Current thread:
- Re: Google Chrome Address Spoofing (Request For Comment) 0pc0deFR (Jul 01)
- <Possible follow-ups>
- Re: Google Chrome Address Spoofing (Request For Comment) Big Whale (Jul 01)
- Re: Google Chrome Address Spoofing (Request For Comment) Valentinas Bakaitis (Jul 01)
- Re: [FD] Google Chrome Address Spoofing (Request For Comment) Big Whale (Jul 02)
- Re: Re: [FD] Google Chrome Address Spoofing (Request For Comment) Tim Brown (Jul 02)
- Re: [FD] Google Chrome Address Spoofing (Request For Comment) Big Whale (Jul 02)
- RE: Google Chrome Address Spoofing (Request For Comment) Zak Siddiqui (Jul 01)
- Re: Google Chrome Address Spoofing (Request For Comment) David Leo (Jul 01)