Safari <10.0.1 on MAC


Safari Plugins view page have multiple(MIME Type、Description、Extensions) Stored XSS Vulnerabilities。

This page is a local file:

When user has installed evil-plugins , and open Safari -> Help menu -> installed plugins to view Plug-ins information may suffer UXSS attack。


Attackers publish malicious plug-ins. In XCODE, set info.plist, inject malicious code.

The content of info.plist

Copy the Plugin into “~/Library/Internet Plug-Ins”。Restart Safari, it will work.Open Safari -> Help menu -> installed plugins to view Plug-ins information.

Steal user passwd file POC:




Discloure Timeline


2016/7/27 Provide vulnerability detail to APPLE via

2016/10/24 Apple fix it in Safari 10.0.1

2016/11/18 Apple Reply:No CVE was issued because this issue required the precondition that the user install a malicious plug-in.

I reported the vulnerability to the APPLE in February 1, 2016 , The vulnerabilities are discussed in this article have been fixed. I think this is a very interesting logical bug, which makes the smart search bar becoming dangerous!




User Agent:

Mozilla/5.0 (iPhone; CPU iPhone OS 9_3 like Mac OS X) AppleWebKit/ 601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E5191d Safari/601.1



In the Safari browser for IOS, the addressbar and the smart search bar are combined together, in the settings of the Safari can choose the default search engine: such as YAHOO, Google, Bing, Baidu, DuckDuckGo……. when searching for a URL in the default search engine,the URL will be displayed on the Omnibox. According to this characteristic, if the search engine has XSS, an attacker can make a arbitrary URL in the addressbar ,and change the page’s content to spoofing attack.



Testing environment:

1, set the default search engine for Baidu

2, IPhone/IPAD

(1) Safari search in IPhone



(2) Safari search in IPAD




(3) Addressbar Spoofing Attacks with Search Engines

If the search engine has XSS, an attacker can make a arbitrary URL in the addressbar ,and change the page’s content to spoofing attack.Here I found a Baidu search engine XSS to prove the spoofing attack.



Online DEMO:



Found a XSS in search engines of “Google, YAHOO, Bing……” is very hard. So APPLE repair scheme is to add the search mark in Smart Search bar.




This vulnerability was discovered by xisigr of Tencent’s Xuanwu Lab


0x00 Vulnerability Overview

Address Bar URL spoofing on IOS Chrome (CVE-2016-1707), I report the vulnerability to Google in June 2016. Spoofing URL vulnerability can be forged a legitimate Web site address. Attacker can exploit this vulnerability to launch phishing attack .

Affected version: Chrome < v52.0.2743.82,IOS < v10

0x01 Vulnerability Details



How the vulnerability happened? First click on the ‘click me’ link, The browser opens a new window called aaaa, this page loads the “”, this address can be casually write. Continue running Pwned () after 500 microseconds , open the ‘’  in the aaaa window, of course, this URL can be empty. Up to now, all the code is running well, and the next code is the core code to trigger the vulnerability.

Begin loading ‘’ in aaaa window , happying, Chrome allows to load ‘’, and then chrome address as a pending entry. Because ‘’ is an invalid address, i think Chrome should jump to about:blank, but chrome commits pending entry (‘’) and promotes it as a last committed URL. At this point, the entire loading process is completed. A perfect Spoofing URL vulnerability was born.

Online demo:

0x02 Fixed

[IOS] Do not commit invalid URLs during web load.

0x03 Discloure Timeline

2016/6/22  Report to Google

2016/6/22  Google assignedSecurity_Severity-High

2016/7/14  Google  reward $3000

2016/7/20  Google advisory disclosedCVE-2016-1707

2016/10/2  Google allpublic disclosed

0x04 References




CSS Handling Status Bar Spoofing, I found this interesting vulnerability 5 years ago, and now it still exists.When the key UI module of the browser can be controled by the user , I think it is dangerous,such as the orgin of the dialog box, etc..Of course the status bar of the browser is different from the traditional browser URL spoof,it is more like a logical error in design,which led to the attacker can use CSS to draw a exactly the same status bar.Although it’s not as serious as you think about it.But I still stick to my point of view, when an attacker can control the UI module of the browser , the phishing attack may happen at any time.

Now you can try CSS Handling Status Bar Spoofing 

Microsoft Internet Explorer CSS Handling Status Bar Spoofing Vulnerability
Google Chrome CSS Handling Status Bar Spoofing Vulnerability
Mozilla Firefox CSS Handling Status Bar Spoofing Vulnerability

Vulnerability Details:


WebKit in Apple iOS before 9.3 and Safari before 9.1 allows remote attackers to bypass the Same Origin Policy and obtain physical-location data via a crafted geolocation request.



cve20161779-1 cve20161779-2

Base64 decode:






This vulnerability was discovered by xisigr of Tencent’s Xuanwu LAB
Chinese Paper: