Minerva Studio - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can address bar spoofing vulnerabilities be prevented?

Address bar spoofing attacks can be detrimental to an organization. Expert Michael Cobb details several vulnerabilities and explains how to defend against the threat.

There has been news lately about address bar spoofing vulnerabilities in a couple of different Web browsers. What is the issue behind these vulnerabilities? What are the best ways to prevent my websites from being spoofed and my employees from falling victim to such attacks?

The JavaScript function setInterval is a method of the HTML DOM Window object that executes the code of a specified function continuously. Researchers at Deusen found that by using the setInterval function to reload a webpage approximately every 10 milliseconds, an attacker could make the address bar show the URL of a genuine requested site while the browser actually showed the content of the attacker's malicious webpage. There is a proof of concept that works in some instances -- Safari on iPad, for example -- so it could be used as part of a phishing attack. The JavaScript code to execute the attack is very simple; it constantly reloads the attacker's page before the browser can get the page requested by clicking on a link. This results in the user viewing the attacker's page, but with the requested page's URL visible in the address bar. There is a chance that a user would think they reached a legitimate website when they are actually seeing a site controlled by an attacker.

While clearly a misuse of the setInterval method, the rapid reloading of a webpage every hundredth of a second causes most devices to lock up or the webpage to become unusable. Also, there is a consistent flicker in the address field. A far more viable address bar spoofing vulnerability is present in the Android Stock Browser. This browser fails to handle a 204 No Content response when combined with the window.open event; a 204 No Content error means the server successfully processed the request, but is not returning any content. There is a proof of concept that shows the URL of a legitimate site, but the content is hosted on a different domain. The Android security team already released a patch, but it is up to each telecom carrier to distribute it.

A Web browser's address bar is one of the key indicators users have to show that they are on the site they requested. If attackers can control what it displays, it makes phishing attacks far more likely to succeed. As a website administrator, there's little that can be done to stop hackers from using address bar spoofing vulnerabilities to try and fool users into divulging sensitive data, as the vulnerability lies in the user's browser. These vulnerabilities are unlikely to pose a major threat, but they are a reminder that browser software should be kept up to date and users should regularly attend security awareness sessions to learn about phishing techniques that tamper with the address bar. The use of subdomains and misspelled URLs (typosquatting) are common phishing tricks, as is homograph spoofing -- URLs created using different logical characters to read exactly like a trusted domain. Some phishing scams use JavaScript to place a picture of a legitimate URL over a browser's address bar. The URL revealed by hovering over an embedded link can also be changed by using JavaScript.

To prevent employees from being phished by such vulnerabilities, they should attend security trainings that cover these types of attack so users don't idly click on links from unknown sources.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn more about website spoofing and how to securely install your Web server OS and services

Check out the latest on Web security best practices from SearchSecurity

This was last published in November 2015

Dig Deeper on Web browser security