Browser-in-browser attack


For security professionals, a URL is usually the most reliable aspect of a domain. Of course, there are attacks like IDN Homograph and DNS Hijacking that can reduce the reliability of URLs. However, such attacks will not be able to make URLs completely unreliable.

Login pop-ups

Quite often, when logging in to a website via Google, Microsoft, Apple, etc., a pop-up window appears with a request for authentication. The image below shows the window that appears when you try to log in to Canva using a Google account.


Window Duplication

To repeat the window design using basic HTML/CSS is quite simple. If you combine the window design with an iframe leading to a malicious server with a phishing page, then the window will be almost indistinguishable from others. The image below shows a fake window compared to the real one. As you can see, the differences between them are quite insignificant.


Using JavaScript, it is easy to make a window appear when clicking on a link or button, when loading a page, etc. In addition, you can give the window a visually attractive look using animation available in libraries, for example, jQuery.

Demo version


Custom URL on hover

Determining the authenticity of a URL by hovering the cursor with JavaScript enabled is not very effective. The HTML for the link usually looks like this:


If you add an onclick event that returns false, then when you hover over the link, the website will still be displayed in the href attribute, but when you click on the link, the href attribute will be ignored. Using this information, you can give the pop-up window a more realistic look.


Available templates

Templates have been created for the following operating systems and browsers:

  • Windows – Chrome (light and dark modes)
  • Mac OSX – Chrome (light and dark modes)

Ready-made templates are available on Github.


This technique allows you to increase the reliability of a fake site during phishing. Once on a fraudulent site, the user will not notice the deception, because the legitimacy of the site is evidenced by a completely plausible URL. An unsuspecting victim will enter credentials in a pop-up window, which will immediately be sent to the attackers.

Start a discussion …