In order to evaluate various browsers, a library of spoofing testcases has been assembled. New browser technologies can use these testcases to determine if they're susceptible to spoofing.


Picture in Picture

A Picture in Picture attack involves the use of graphic and script elements within an HTML page to simulate the look and feel of browser chrome. The goal is to recreate a convincing mockup of the browser chrome entirely within the content page, in order to provide (false) indicators of security to the user. Despite the fact that this fake browser exists within a "real" browser which remains visible, it is documented to be a relatively effective attack. In part, this is traceable to the historical preference in web agent UIs for showing only affirmative signals (padlock, green bar, etc.) which rely on users to detect their absence in an attack scenario.

Favicon spoofing

A favicon spoofing attack uses the broadly-supported favicon.ico standard (dropped in the root of a website, this 16x16 windows icon file will be displayed to the right of the URL, in most user agents' address bar) to provide deceptive security cues. Specifically, since many web user agents supply a padlock icon in the address bar to validate the presence of some level of SSL support, an attacker's site can create a favicon which mimics the padlock and provide a similar cue. The fact that "real" SSL padlocks will appear on the right, not the left, of the address bar is often too subtle a distinction for users to recognize and act upon.

Negative positioned window

A negative positioned window attack is like a larger-than-visible attack. Like most of the entries in this list, it subverts the usual browser chrome indicators by obscuring them, with the intent to synthesize new ones within the content area. If I can move my browser 100 pixels off the top of the screen, I can create my own false menus and toolbars, as well as my own misleading chrome indicators about URL and SSL status, strictly within the content area. It is basically a picture in picture attack which takes an extra step to make the inner picture seem authoritative.

Invisible password area

An invisible password area attack can be used to trick users into submitting their stored passwords for a site when executing a cross-site-scripting attack. A password input is added to the page but some css manipulation (for instance, there are other methods for hiding an element) is used to obscure it from the user. Since the browser can't tell that this represents an attack scenario, the stored password is supplied without the user knowing that any secrets have been divulged. Once this occurs, any number of cross-site scripting attacks can be launched with significantly reduced risk of detection.

Window larger than the display

An obvious attack usually thwarted by modern browsers is to extend the Picture in Picture attack to include code which resizes the browser window to be larger than the visible screen. In so doing, it may be possible to push the legitimate browser chrome out of the viewable area, making the internal, fake version appear more authoritative. This is obviously closely related to the Negative Positioned Window attack.