After a few month not hunting bug, and i want to hunt again. I read my previous report about Bypassing Homograph and look at the patch code. And I think I can bypass it, with some trick.
I see code on Brave Github patch on previous report, and with minimum programming skill try to bypassing homograph. I notice on their code is something like this. :
it('returns the punycode URL when given a valid URL', function () { assert.equal(urlUtil.getPunycodeUrl('http://brave:brave@ebаy.com:1234/brave#brave'), 'http://brave:brave@xn--eby-7cd.com:1234/brave#brave') })
I notice on url between @ , the URL after @ is containing punycode, and get return to ASCII , and my weird logic think if before @ the punycode it’s doesn’t return to ASCII,
And this is How I Reproduce it :
This is punycode URL ebаy.com@ebаy.com = xn--eby-7cd.com@xn--eby-7cd.com .
Set it to homepage
Attempt :
- ebаy.com@ebаy.com it'll become = ebаy.com@xn--eby-7cd.com
- ebаy.com/ebаy.com it'll become = xn--eby-7cd.xn--com/eby-7fg.com
- ebаy.com/@ebаy.com it'll become = ebаy.com/@xn--eby-7cd.com
And this is true before @ doesn’t return to ASCII , so to visit the link before @ i give / after punycode. So, when user input ebаy.com/@apapedulimu.click user will redirect to : xn--eby-7cd.com
Video :
And I report to Brave tim on Hackerone , you can see my report on : https://hackerone.com/reports/317931 . The brave tim very fast when patching it. And i got rewarded with bounty. Yeay!
And I say thanks to them with some GIF because very fast reply and patching although there’s just minor bug.
This is the GIF
You can see the patching on their github also on : https://github.com/brave/browser-laptop/issues/13214
Thanks