The browser hacker's handbook

Hackers exploit browser vulnerabilities to attack deep within networks The Browser Hacker's Handbook gives a practical understanding of hacking the everyday web browser and using it as a beachhead to launch further attacks deep into corporate networks. Written by a team of highly experienced computer security experts, the handbook provides hands-on tutorials exploring a range of current attack methods. The web browser has become the most popular and widely used computer "program" in the world. As the gateway to the Internet, it is part of the storefront to any business that operates online, but it is also one of the most vulnerable entry points of any system. With attacks on the rise, companies are increasingly employing browser-hardening techniques to protect the unique vulnerabilities inherent in all currently used browsers. The Browser Hacker's Handbook thoroughly covers complex security issues and explores relevant topics such as: Bypassing the Same Origin Policy ARP spoofing, social engineering, and phishing to access browsers DNS tunneling, attacking web applications, and proxying-all from the browser Exploiting the browser and its ecosystem (plugins and extensions) Cross-origin attacks, including Inter-protocol Communication and Exploitation The Browser Hacker's Handbook is written with a professional security engagement in mind. Leveraging browsers as pivot points into a target's network should form an integral component into any social engineering or red-team security assessment. This handbook provides a complete methodology to understand and structure your next browser penetration test.

Introduction xv Chapter 1 Web Browser Security 1 A Principal Principle 2 Exploring the Browser 3 Symbiosis with the Web Application 4 Same Origin Policy 4 HTTP Headers 5 Markup Languages 5 Cascading Style Sheets 6 Scripting 6 Document Object Model 7 Rendering Engines 7 Geolocation 9 Web Storage 9 Cross-origin Resource Sharing 9 HTML5 10 Vulnerabilities 11 Evolutionary Pressures 12 HTTP Headers 13 Reflected XSS Filtering 15 Sandboxing 15 Anti-phishing and Anti-malware 16 Mixed Content 17 Core Security Problems 17 Attack Surface 17 Surrendering Control 20 TCP Protocol Control 20 Encrypted Communication 20 Same Origin Policy 21 Fallacies 21 Browser Hacking Methodology 22 Summary 28 Questions 28 Notes 29 Chapter 2 Initiating Control 31 Understanding Control Initiation 32 Control Initiation Techniques 32 Using Cross-site Scripting Attacks 32 Using Compromised Web Applications 46 Using Advertising Networks 46 Using Social Engineering Attacks 47 Using Man-in-the-Middle Attacks 59 Summary 72 Questions 73 Notes 73 Chapter 3 Retaining Control 77 Understanding Control Retention 78 Exploring Communication Techniques 79 Using XMLHttpRequest Polling 80 Using Cross-origin Resource Sharing 83 Using WebSocket Communication 84 Using Messaging Communication 86 Using DNS Tunnel Communication 89 Exploring Persistence Techniques 96 Using IFrames 96 Using Browser Events 98 Using Pop-Under Windows 101 Using Man-in-the-Browser Attacks 104 Evading Detection 110 Evasion using Encoding 111 Evasion using Obfuscation 116 Summary 125 Questions 126 Notes 127 Chapter 4 Bypassing the Same Origin Policy 129 Understanding the Same Origin Policy 130 Understanding the SOP with the DOM 130 Understanding the SOP with CORS 131 Understanding the SOP with Plugins 132 Understanding the SOP with UI Redressing 133 Understanding the SOP with Browser History 133 Exploring SOP Bypasses 134 Bypassing SOP in Java 134 Bypassing SOP in Adobe Reader 140 Bypassing SOP in Adobe Flash 141 Bypassing SOP in Silverlight 142 Bypassing SOP in Internet Explorer 142 Bypassing SOP in Safari 143 Bypassing SOP in Firefox 144 Bypassing SOP in Opera 145 Bypassing SOP in Cloud Storage 149 Bypassing SOP in CORS 150 Exploiting SOP Bypasses 151 Proxying Requests 151 Exploiting UI Redressing Attacks 153 Exploiting Browser History 170 Summary 178 Questions 179 Notes 179 Chapter 5 Attacking Users 183 Defacing Content 183 Capturing User Input 187 Using Focus Events 188 Using Keyboard Events 190 Using Mouse and Pointer Events 192 Using Form Events 195 Using IFrame Key Logging 196 Social Engineering 197 Using TabNabbing 198 Using the Fullscreen 199 Abusing UI Expectations 204 Using Signed Java Applets 223 Privacy Attacks 228 Non-cookie Session Tracking 230 Bypassing Anonymization 231 Attacking Password Managers 234 Controlling the Webcam and Microphone 236 Summary 242 Questions 243 Notes 243 Chapter 6 Attacking Browsers 247 Fingerprinting Browsers 248 Fingerprinting using HTTP Headers 249 Fingerprinting using DOM Properties 253 Fingerprinting using Software Bugs 258 Fingerprinting using Quirks 259 Bypassing Cookie Protections 260 Understanding the Structure 261 Understanding Attributes 263 Bypassing Path Attribute Restrictions 265 Overflowing the Cookie Jar 268 Using Cookies for Tracking 270 Sidejacking Attacks 271 Bypassing HTTPS 272 Downgrading HTTPS to HTTP 272 Attacking Certificates 276 Attacking the SSL/TLS Layer 277 Abusing Schemes 278 Abusing iOS 279 Abusing the Samsung Galaxy 281 Attacking JavaScript 283 Attacking Encryption in JavaScript 283 JavaScript and Heap Exploitation 286 Getting Shells using Metasploit 293 Getting Started with Metasploit 294 Choosing the Exploit 295 Executing a Single Exploit 296 Using Browser Autopwn 300 Using BeEF with Metasploit 302 Summary 305 Questions 305 Notes 306 Chapter 7 Attacking Extensions 311 Understanding Extension Anatomy 312 How Extensions Differ from Plugins 312 How Extensions Differ from Add-ons 313 Exploring Privileges 313 Understanding Firefox Extensions 314 Understanding Chrome Extensions 321 Discussing Internet Explorer Extensions 330 Fingerprinting Extensions 331 Fingerprinting using HTTP Headers 331 Fingerprinting using the DOM 332 Fingerprinting using the Manifest 335 Attacking Extensions 336 Impersonating Extensions 336 Cross-context Scripting 339 Achieving OS Command Execution 355 Achieving OS Command Injection 359 Summary 364 Questions 365 Notes 365 Chapter 8 Attacking Plugins 371 Understanding Plugin Anatomy 372 How Plugins Differ from Extensions 372 How Plugins Differ from Standard Programs 374 Calling Plugins 374 How Plugins are Blocked 376 Fingerprinting Plugins 377 Detecting Plugins 377 Automatic Plugin Detection 379 Detecting Plugins in BeEF 380 Attacking Plugins 382 Bypassing Click to Play 382 Attacking Java 388 Attacking Flash 400 Attacking ActiveX Controls 403 Attacking PDF Readers 408 Attacking Media Plugins 410 Summary 415 Questions 416 Notes 416 Chapter 9 Attacking Web Applications 421 Sending Cross-origin Requests 422 Enumerating Cross-origin Quirks 422 Preflight Requests 425 Implications 425 Cross-origin Web Application Detection 426 Discovering Intranet Device IP Addresses 426 Enumerating Internal Domain Names 427 Cross-origin Web Application Fingerprinting 429 Requesting Known Resources 430 Cross-origin Authentication Detection 436 Exploiting Cross-site Request Forgery 440 Understanding Cross-site Request Forgery 440 Attacking Password Reset with XSRF 443 Using CSRF Tokens for Protection 444 Cross-origin Resource Detection 445 Cross-origin Web Application Vulnerability Detection 450 SQL Injection Vulnerabilities 450 Detecting Cross-site Scripting Vulnerabilities 465 Proxying through the Browser 469 Browsing through a Browser 472 Burp through a Browser 477 Sqlmap through a Browser 480 Browser through Flash 482 Launching Denial-of-Service Attacks 487 Web Application Pinch Points 487 DDoS Using Multiple Hooked Browsers 489 Launching Web Application Exploits 493 Cross-origin DNS Hijack 493 Cross-origin JBoss JMX Remote Command Execution 495 Cross-origin GlassFish Remote Command Execution 497 Cross-origin m0n0wall Remote Command Execution 501 Cross-origin Embedded Device Command Execution 502 Summary 508 Questions 508 Notes 509 Chapter 10 Attacking Networks 513 Identifying Targets 514 Identifying the Hooked Browser's Internal IP 514 Identifying the Hooked Browser's Subnet 520 Ping Sweeping 523 Ping Sweeping using XMLHttpRequest 523 Ping Sweeping using Java 528 Port Scanning 531 Bypassing Port Banning 532 Port Scanning using the IMG Tag 537 Distributed Port Scanning 539 Fingerprinting Non-HTTP Services 542 Attacking Non-HTTP Services 545 NAT Pinning 545 Achieving Inter-protocol Communication 549 Achieving Inter-protocol Exploitation 564 Getting Shells using BeEF Bind 579 The BeEF Bind Shellcode 579 Using BeEF Bind in your Exploits 585 Using BeEF Bind as a Web Shell 596 Summary 599 Questions 600 Notes 601 Chapter 11 Epilogue: Final Thoughts 605 Index 609