Microsoft Edge/Internet Explorer Certificate Error Url Spoofing

Tested on Windows 10 x64
Edge Version: 20.10240.16384.0
Internet Explorer Version: 11.0.10240.16431


Microsoft Edge is a web browser developed by Microsoft and included in the company's Windows 10 operating systems, replacing Internet Explorer as the default web browser on all device classes.


Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads, or in service packs, and included in the Original Equipment Manufacturer (OEM) service releases of Windows 95 and later versions of Windows.

Vulnerability description:

What presents these screenshots? The certificate error on domain No! (tip: certificate error over http ?)

Error concerning the certificate but occurs in another domain (not, but where??

The browser interprets headers first, then current url and more... Spoofing works when in response Edge/IE receive "Location:" parameter, (HTTP 302).

How it can be used in nature? Simply by using Open Redirect vulnerability or HTTP Response Splitting to trick victim to accept unsecure certificate by the trust to domain visible in URI.


PoC source code:



Disclosure Timeline:

2015-10-27 - Vulnerability reported to vendor

2016-02-19 - CVE-2016-0077

2016-02-19 - Release fix in Microsoft Security Bulletin MS16-009/MS16-011

Reported by:

Kacper RybczyƄski (@kacperybczynski)