Hi guys, at this time i try to test Brave Browser , because i challenge myself to test something except website application and will see what i can do with it. While I search about Browser bug in hackerone.com I find report about Homograph attack in browser at 175286 and I try it, but its has been patched, so I find another way to attack it. And I try to read more reference about browser and i read URI Obfuscation that give me idea how about adding @ when add punycode ? and boom. Its work, Brave Browser not validate a url properly like previous report. And This is My Report, but before i send report I check it on chrome, and the chrome response is showing the true URL.
Summary:
At #175286 you has been patched, and i try it work, but i’ve another way to bypass it. when we add a site to our Homepage with @
, it’s not validate a url properly, make sure it’s display the punycode.
Products affected:
Brave 0.18.36 ( Linux & Windows )
Steps To Reproduce:
- In browser add homepage with IDN @ebаy.com/
- Now close and open browser again
- You can see it’s redirect to http://xn--eby-7cd.com/
Video :
And two days after that the Brave team update my report to triaged and give me bounty ( half of first reporter ) , but i not satisfied with that (Am I so greedy ) >.< , and ask information, why ? and Brave team said “this was awarded lower because it requires the URL to start with ‘@’ which users would probably notice since it looks odd” and i think its true, so i dig it again, how can I attack it without ‘@’ and I try different way to attack it, and I’ve found the ‘@’ not required on url, so just use URL like this ebаy.com/ . And the Brave team said “seems valid” and give me extra bounty. Yay !
- You can see my original report on h1 : 268984
- Or github : https://github.com/brave/browser-laptop/issues/11001
Thanks.