Man-In-The-Browser DOM Inspector
Man-In-The-Browser (MITB) is a form of Internet threat related to Man-in-the-Middle (MITM), is a trojan that infects a web browser and has the ability to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. A MITB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. Naturally, detecting and defeating MITB can be a cumbersome task.
We at RedTeam have been working on some research code (using Javascript) to detect and handle MITB. MITB attacks seen in Silentbanker and ZeuS botnet trojans often inject rogue HTML tags in pages to fool users into entering information that otherwise would not be asked. An example of this would be the injection of a rogue input tag that asks the user for his/her Social Security Number on a web page that they trust, such as an online banking site.
How does it work?
1). User visits page protected by the Inspector
2). The DOM is walked (JS) and hashed (MD5)
3). User DOM is compared with server side MD5 hash
4). If hashes match, display page
5). If hashes do not match, there has been tampering, display error
Here is a short video demonstration
>> Download Proof-of-Concept code here <<
This status of the code is very much in the research phase. We encourage you to greatly expand on the principles here to help secure your website. Remember, Javascript is required! Therefore, the principles here are probably not suitable for publicly available sites.
To-Do
Again, this is just a simple proof-of-concept. There is much to be done before these principles here are put into production. Here is a list of some recommendations that need to be done:
* Javascript obfuscation
* Dynamically hash the DOM on the server side
* Gracefully fallback where users do not have JS enabled
File attachment 1: Download here
Categories
Contact Us
Phone number:
1-612-234-7848
E-mail: