Wo(Man) in The Browser -MiTB

While conducting a penetration test of a web application for a financial services client recently, i came across a vulnerability that i wanted to briefly discuss. The vulnerability discovered was related to the now infamous "Banking Trojans" and the ability of its software to modify HTML pages on the fly.  This is an relatively sophisticated tactic utilized by various banking Trojans such as Zeus and SpyEye  to manipulate a users web browser's interactions with their banking web application. Specifically used as a phishing tactic in order to get users to enter extra sensitive data (for exp, during when they are logging into their on-line banking application).

Their can be various client-side attack vectors utilized to initially infect the user's system or mobile device with the banking Trojan, ranging from utilizing a lure in spear-phishing, or watering hole, to drive-by style delivery mechanisms.  After the user's system is infected, the trojan subsequently monitors the HTTP stream via Wininet.dll (or some other library) and modifies the content on the fly. The capabilities utilized for content modification for trojans like Zeus (in the tested instance), stem from the use of a file called "Webinjects.txt". When the victim fills in the additonal information, it is subsequently sent to its command and control host.
Mitigating this vulnerability can be a challenge as several remediation strategies have been set forth from various client hardening techniques, secure card readers (exp. Smartwipe), out of band verification and detection via web tripwire hooks used by various WAFs that can detect and identify these "in-flight" page manipulations in real-time. 

- MH "Madame Hack"

Asymmetric Warfare - Who's Got BeEF?

Normally, most organizations when responding to web-borne application attacks against their websites, take the approach of responding to the malicious attack traffic itself such as responding to cross-site scripting (XSS or CSRF) with a combination of output encoding/escaping combined with some form of input validation for untrusted user input.They may also add additional protection measures such as utilizing some form of content-security policy (CSP) or active content signatures (ACS) to further protect users of their applications from malicious scripts, iframes (click-jacking) etc..  These are of course very good steps to take and can indeed be very effective if implemented properly. But, in this post, I'd like to briefly discuss a slightly different approach to dealing with malicious attackers that are attacking your websites, and how this approach can significantly assist in identifying attackers, and in incident response actions..  Leveraging a tool set called BeEF ( Browser Exploitation Framework) in conjunction with a Web Application Firewall (WAF) such as Mod-security, you can utilize the BeEF application to hook malicious client browsers (not automated tools) that are attacking your websites , and provide much better information for incident response investigations.  It allows you to take the fight back to the malicious attackers of your websites.

What exactly is BeEF?,  As mentioned above, BeEF stands for Browser Exploitation Framework, and it a penetration testing tool set  (http://beefproject.com/), designed to test the exploitability of your web browser environment and trust me when i say it does a great job of that!

I wont discuss BeEF's full attack capabilities here (you can check it out for yourself ) but its a very powerful tool to say the least.  Instead of taking advantage of XSS vulnerabilities in your application as a pen testing attack vector, you can leverage a WAF like mod-security to not only identify malicious clients of your application,  but you can subsequently modify the HTTP response header sent back to malicious client requests and directly hook them utilizing the BeEF javascript hook code.. This will allow you to keep close tabs on the attackers of your website, and allow you to monitor their every move and activities. This is a much more effective tactic than trying to respond to incidents when all you have is an IP address (which I'm sure is not the real IP address due to the fact that the attacker is tunneling their traffic through proxies or other intermediary systems).    BeEF contains some powerful data harvesting capabilities  and can harvest critical details from the attackers web browser such as the "True Geographic location" of the attacker,  some of the location enumeration modules (under the host folder) can be used to get physical location including GPS coordinates and street address details.  You can even open up a dialog prompt and communicate with the hooked browser and ask questions about why your sight is being pwned.. Pretty cool....

MH - "Madame Hack"