Home / Spoofing


Referrer spoofing with iframe injection

Last year we’ve been playing with a very simple method to spoof the referrer on Edge, which allowed us of course to spoof the referrer and -as a bonus- other neat things like bypass the XSS filter. Today I found out that it was patched, so I decided to give …

Read More »

Bypassing the patch to continue spoofing the address bar and the Malware Warning

Yesterday, Microsoft pushed a gigantic update where tons of security bugs were fortunately killed, including most ones from this website. Kudos, big kudos to the Edge developers and the ones in charge of its security. Please, convince the ones who want to keep the ridiculous IE policies to change their minds or at …

Read More »

The Attack of the Alerts and the Zombie Script

In our previous post we found a way to UXSS (bypass the SOP policy) using the htmlFile/ActiveXObject, however, I mentioned that there were other interesting things to do using that same object. Have you tried anything? If yes, congratulations. The only way to find bugs is by trying, and today we …

Read More »

Spoofing the Address Bar with the Malware Warning

Update: this bug was patched on 2017-03-14 but we found a bypass the same day. Here it is: Bypassing the patch to continue spoofing the address bar and the Malware Warning. Over the last few months, we’ve seen a proliferation of these tech-support scams where users end up “locked” in their …

Read More »

Referer spoofing and defeating the XSS filter

According to Wikipedia, “Referer spoofing is the sending of incorrect referer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user.” In other words, making a server think that requests are coming from anywhere we want. Referer …

Read More »