A browser-in-the-browser attack is an exploit that involves an attacker using a malicious browser to gain access to a target system. This type of attack is typically used to bypass security measures, such as authentication and authorization, by using a malicious browser to gain access to protected resources.
The attacker will typically create a malicious browser window or use an existing browser window, to access the target system. The malicious browser will then send malicious commands to the target system, such as scripts or code. The malicious code can then be used to gain access to protected resources on the target system.
In this guide, I will be demonstrating how an attacker can easily deploy a browser-in-the-browser attack.
- A PC running Kali Linux( You can run kali in the VirtualBox using this guide).
- Target device.
The Browser-in-the-Browser framework
BITB framework is a framework comprised of login pages of popular websites cloned and used to trick a user into providing credentials. When using Browser in the Browser framework, you can modify the landing page by adding custom CSS and HTML on the main.html file.
To use the framework, we first need to download it from the official GitHub repository using the command below.
git clone https://github.com/surya-dev-singh/BITB-framwork.git
Once the download is complete, we can navigate into the directory to create a virtual Python environment for the project.
cd BITB-framework virtualenv env source env/bin/activate
And we finally install the required packages for the Browser in the Browser framework to run.
pip install -r requirements.txt
Before running the framework, you have to make sure you have PHP installed. Finally, we run the framework.
As shown in the image above, we have to choose the website that we want credentials for. For this guide, we will use Netflix which is number 5. The next step is to select the phishing method. In a more advanced browser-in-the-browser attack, we can use a tool such as ngrok to make the phishing website available over the internet. In our case, we choose to use localhost as shown in the image below.
We can be able to access the phishing page via the address http://0.0.0.0:8080 as shown in the above image. On the browser, we navigate to the address. We have a login page as shown in the below image.
If a user tries to log in, another tab will pop up requiring the user to provide login credentials for Netflix as shown in the image below.
After the user has provided his/her Netflix login credentials, he/she will be redirected to another webpage but this time the webpage is a legitimate one. Redirecting the user to a legitimate website is used to make the attack less suspicious to suspecting victims. On the attacker’s side, he has already received the login credential as shown in the image below.
All the credentials can also be found in the sites/userpass/usernames.txt file.
In a more advanced case of the browser-in-the-browser attack, a bad actor may redesign the landing page to reflect the current login page of a website he/she wants to get credentials for.
Protection against browser-in-the-browser attack
To counter browser-in-the-browser attacks, we can use an extension that automatically detects this kind of attack. Enhanced iFrame Protection (EIP) which is a lightweight extension to automatically detect and provide verbose warnings for embedded iframe elements in order to protect against browser-in-the-browser attacks. This extension is available for Chrome, Microsoft Edge, and Firefox web browsers. In the image below, we tried to open a phishing link on a browser having the extension installed.
As shown in the image above, we tried to open a phishing link for the browser-in-the-browser attack using a browser with a phishing protection extension installed. Immediately after the link is loaded, we have a popup warning notifying the victim that the page looks suspicious.
In order to protect against browser-in-the-browser attacks, it is important to ensure that all browsers are kept up to date with the latest security patches and that all web applications are regularly tested for vulnerabilities. It is also important to ensure that all web applications are configured securely, with the appropriate access control measures in place.
It is also important to ensure that all web browsers are configured to use secure protocols, such as HTTPS, in order to minimize the risk of man-in-the-middle attacks. It is also important to be aware of the type of content that is being accessed from the target system, as some types of content may be more vulnerable.