Abstract— Web Browser is a tool, which connects us to the Internet. In this time of age, the Internet has become a dependent factor for most of us. Therefore, it is very important for us to understand what a web browser is, the architecture, and threats that come when using it. This paper illustrates the theoretical side of what is a web browser, what are its components, how a browser can be a risk, and how to protect the user. Furthermore, the paper illustrates a lab that demonstrates how to exploit a web browser attack using BeEF.

Figures - uploaded by Samuel Agaga

Author content

All figure content in this area was uploaded by Samuel Agaga

Content may be subject to copyright.

Join for free

Abstract Web Browser is a tool, which connects us to the

Internet. In this time of age, Internet has become a dependent

factor for most of us. Therefore, it is very important for us to

understand what is web browser, the architecture, and threats

that come when using it. This paper illustrates the theoretical side

of what is web browser, what are its components, how a browser

can be a risk, and how to protect the user. Furthermore, the

paper illustrates a lab that demonstrates how to exploit a web

browser attack using BeEF.

I. INTRODUCTION

EB browser can be define in many ways. One common

definition of web browser is that it is a software

application that allows users to view and interact with the

content available in many forms on a web page, such as text,

image, music, video, games, etc. It is the most popular method

for users to access the Internet. There are many examples of

web browsers. The five most popular web browsers are

Mozilla Firefox, Google Chrome, Internet Explorer, Safari,

and Opera. Furthermore, add- ons are available as applications

to extend the functionality of such browsers. Few examples of

add-ons include Flash Player, Java, Adobe Reader, QuickTime

Player, etc. Depending on how the developers designed the

web page, specific add- ons are need to view specific content.

[1]

II. WEB BROWSER IN- DEPTH

The main function of a web browser is to present the web

resources a user requests. The browser requests the resources

from the server and displays it within the browser window.

The requested resource is usually an HTML document, but

could be an image, PDF, or any other form of content. The

user uses URL (Uniform Resource Identifier) to specify the

location of the resource. Additionally, HTML and CSS

specification defines the way a browser will interpret and

display the HTML files. Such specification are maintained by

the W3C (World Wide Web Consortium) organization. W3C

is a standard organization for the web. In the past, many

browsers followed a part of the specifications and developed

their own extensions specific to the browser. This caused

compatibility issues for web authors. Now most of the existing

browsers follow the common specifications. [2]

III. S IMILARITY AMONG WEB BROWSERS

Today, a user can choose from many types of browsers.

Each has few elements that are distinct from one another.

There is, however, one commonality among browser that is

their User Interface (UI) Elements. UI elements include

address bar for inserting a URL, back/forward buttons,

bookmarking options, refresh and stop buttons for refreshing

or stopping the web page, and home button that takes the user

to the home page. The HTML5 specification used today does

not define UI elements, but include common elements, such as

address bar, status bar, and tool bar. [2]

IV. WEB BROWSER COMPONENTS

There are seven main components of web browser. The

components include user interface, browser engine, rendering

engine, networking, UI backend, JavaScript interpreter, and

data storage. [2]

1. User Interface: includes every part of the browser

display, such as the address bar, back/forward button,

bookmarking menu, etc., except the window where

the user see the requested page.

2. Browser Engine: organizes actions between the UI and

the rendering engine.

3. Rendering Engine: accountable for displaying

requested content. When a user request HTML

content, the rendering engine analyses HTML and

CSS files, and displays the analyzed content on the

screen.

4. Networking: includes network calls such as HTTP

requests.

5. UI Backend: it is used for drawing basic widgets like

combo boxes and windows. The backend exposes a

generic interface that is not platform specific.

Underneath it all uses operating system user interface

approaches.

6. JavaScript Interpreter: it is used to analyze and execute

JavaScript code.

7. Data Storage: It is a persistence layer. The browser

needs this component to save data locally, such as

cookies. Additionally, browser supports storage

mechanisms such as localStorage, IndexedDB,

WebSQL, and FileSystem.

The following image illustrates how each of the component

interact within the system.

Web Browser Attack Using BeEF Framework

Harshil Sawant, Samuel Agaga

Figure 1: Web Browser Components [2]

V. WEB BROWSER RISK

According to the past studies, about 45% of people roaming

the Internet are not utilizing the most secure version of their

web browser. Similar to many software, without the proper

security patches, web browsers are vulnerable to attack or

exploit. Furthermore, even a fully patched web browser can be

vulnerable to attack if the browser add-ons are not fully

patched. Remember, when the user patches the browser, the

add-ons are not automatically patched. [1]

Usually, browser-based attacks originated from malicious

websites. However, poor security programming of web

applications or vulnerabilities in the software supporting

websites, let attackers to compromise trusted web sites to

deliver malicious payloads to unsuspecting visitors. Hackers

would add scripts that do not change a vulnerable website's

appearance. These scripts can silently redirect the user to

another website without him/her knowing about it. This

redirect to another web site may cause malicious programs to

be downloaded to your computer. Such programs are generally

designed to allow remote control of the user's computer by the

attacker and to capture personal information, such as credit

card information, banking information, etc. [1]

VI. PROTECT USER FROM BROWSER RISK

The following are few of many practices a user must enforce

to avoid unwanted browser risk. [1]

Keep your browser(s) updated and patched.

Keep your operating system updated and patched.

Use anti -virus and antispyware software, and keep

them updated.

Keep your applications, such as multi-media programs

used for viewing videos, updated and patched,

particularly if they work with your browser.

Make sure your computer's firewall is on.

Block pop -up windows, some of which may be

malicious and hide attacks. This may block malicious

software from being downloaded to your computer.

Tighten the security settings on your browsers. Check

the settings in the security, privacy, and content

sections in your browser. The minimum level should

be medium.

Consider disabling JavaScript, Java, and ActiveX

controls.

It is important to note that number of these tips may limit

the users from access few of the browser's content. For

example, JavaScript is used to control web pages on the client

side of the browser, server-side programs, and even mobile

applications. If you need to use JavaScript, set your browser to

prompt you before running scripts. Lower your security

settings temporarily to have proper access, and then reset

them. [1]

VII. WHAT IS BEEF?

BeEF is short for The Browser Exploitation Framework. It

is a penetration testing tool that focuses on exploit of web

browser vulnerabilities. BeEF is a browser-based exploit

package that "hooks" one or more browsers as beachheads, so

the attacker can launch directed command modules and further

attacks against the system from within the browser context. A

user can be hooked by opening a customized URL and

continue to see typical web traffic, while an attacker has access

to the user's session. BeEF evades network security appliances

and host-based anti-virus applications by targeting the

vulnerabilities found in common browsers. [4] BeEF also

allows the professional penetration tester to assess the actual

security posture of a target environment by using client-side

attack vectors. Unlike other security frameworks, BeEF looks

past the hardened network perimeter and client system, and

examines exploitability within the context of the one open

door: the web browser. [3]

VIII. LAB

The following experiment illustrates steps we followed to

show how to execute a successful web browser attack using

BeEF and how important it is to have an updated antivirus

running for your computer to detect web browser attack using

BeEF framework.

ATTACK

Set up victim VM and attacker VM. Make sure the network

adapter for both VMs is set to Bridged Adapter.

Figure 2: VMs [9]

The highlighted VM are used for the experiment. The exploit

was carried out on the Kali Linux while the CentOS 7 was the

victimized OS.

Figure 3 : Victim's Machine CentOS 7 [8]

Figure 4: Attacker's Machine Latest Kali Linux [7]

Above is the login page of Kali Linux. Note that we had

created the login details during installation of the operating

system.

Figure 5: Beef Directory

Use Terminal in Kali Linux to run the beef framework, the

attacker will have to login into the Kali Linux and then

navigate to the "beef-xss" directory and run the "beef" script

as shown above.

Figure 6: Running Beef

As can be seen from the above screenshot, beef has been

successfully launched. Use the highlighted URL to open BeEF

login page in the attacker browser.

Figure 7: BeEF Login Page

Once BeEF has been launched, the next thing will be to login

into the UI as seen above. The username and password is

"beef".

Figure 8: BeEF Home Page

The above image is the BeEF home page with two highlighted

links. Any one of the link can be used to hook the victim's

browser. Make sure to replace the IP address of the link from

127.0.0.1 to your attacker's IP address (in this case

192.168.2.171). You can find you attacker's IP address from

the terminal using "ifconfig" command. Just for curiosity, the

following image is one of link called "advanced version" of

the html page when opened in the victim's VM.

Figure 9 : Malicious Link Page

At this point, from the attacker side, you can mask the

malicious link using tools such as bitly.com, before baiting

your victim to click on your malicious link using social

engineering.

Figure 10: Bitly.com

Suppose you are successful on bating your victim to click on

you link using email or other social engineering method. The

victim's system will be "hooked" as illustrated by the

following image. For this experiment, open the advanced

version link in the victim's VM to show that social engineering

is successful.

Figure 11: Browser Hooked

As can be seen in the above screenshot, the browser running

on the victim's machine with IP address 192.168.2.174 has

been hooked. The above image is shown in the attacker's VM.

Figure 12 : Social Engineering Attack

In this attack, we exploited the victim machine by means of

social engineering as can been seen above. Under commands

tab, go to social engineering to test the same attack we tested.

Figure 13 : Selecting Attack

We are running the "Pretty Theft exploit". In Fig. 13 above, on

the right is where we enter the information of the attacker's

machine running the beef service. Make sure to replace the

default IP address in the custom logo with the attacker's VM

IP address (in this case 192.168.2.171) before executing .

Figure 14: Launching the Attack

To run the attack, we simply just click on execute as show in

Fig. 14 above.

Figure 15: Fake Facebook Logi n

Once we have clicked execute, the Face Facebook

authentication screen will be displaced on the victim's

machine as seen in Fig. 15 above.

Figure 16: Login Details Captured

Looking at the heighted portion on the right of the screenshot

in Fig. 16 indicates our captured login details of the victim's

username and password for Facebook.

Note. It would feel more authentic for the victim if the attacker

execute his attack at the right time, for example, when the

victim is on Facebook login page.

Defense

Figure 17: Defense by Symantec Antivirus

One of the ways to defend this attached is by having an up to

date antivirus program running on your computer. In the

screenshot above, when we tried this exploit against a machine

running Symantec antivirus, we actually got a warning stating

that there was BeEF framework attack as can be seen in the

screenshot in Fig. 17. So test the same process, but turn on

your Symantec antivirus.

Figure 18 : Disabling Symantec Antivirus

However, attack was successful after we disabled the antirust

program as shown above.

Figure 19: Successful Login after Disabling Antivirus

After the antivirus program was disabled, the victim's machine

got "hooked" see Fig. 18 above.

IX. FUTURE WORK

In an article, it is proposed that after several successful

attempts to steal credit card information or banking

passwords, many companies are trying to step towards

cloud-based browsers, a Java-free browser. A cloud-based

browser store no data from each session and prevent any

malware from networking w ith the user's computer. One

such product is Authentic8's Silo. A separate browser that

executes only after entering a password. It then executes on

the cloud and calls up a list of links the user has previously

entered, and can store passwords for those sites. All code

executes on their remote servers, providing security against

malware and privacy against tracking. [5]

X. CONCLUSION

In conclusion, we now know how threating it is for everyone

to surf the web without using proper security practices. From

the experiment, we have learned that web browser attack is a

broad topic. Malicious users can execute all sort of attacks

from XSS to Buffer Overflow if the user is not updating his

system regularly. BeEF is a simple penetration-testing tool that

can be used by anyone to test some attacks or hack someone's

system, so it is necessary for everyone to keep up with the

updates and patches.

REFERENCES

[1] "Web Browser Attack," Pvamus, Mar-2009. [Online]. Available:

https://www.pvamu.edu/Include/ITS/Vol3Issue2.pdf. [Accessed: 15 -Jul-

2017].

[2] T. Garsiel and P. Irish, "How Browsers Work: Behind the scenes of

modern web browsers," html5rocks , 05-Aug- 2011. [Online]. Available:

https://www.html5rocks.com/en/tutorials/internals/howbrowserswork/.

[Accessed: 15-Jul-2017].

[3] "BeEF - The Browser Exploitation Framework Project," BeEF - The

Browser Exploitation Framework Project. [Online]. Available:

http://beefproject.com/. [Accessed: 15-Jul-2017].

[4] J. Muniz and A. Lakhani, "Web Penetration Testing with Kali

Linux," Google Books. [Online]. Available:

https://books.google.ca/books?id=4fD7AAAAQBAJ&pg=PT5&lpg=PT

5&dq=countermeasure%2Bagainst%2Bbeef%2Bkali%2Blinux&source

=bl&ots=qxPZaai-

Ff&sig=lyfWjc9AMfDcvjfLos9VpjVhRsA&hl=en&sa=X&ved=0ahUK

EwihqdH98LzVAhWHz4MKHRwoDAAQ6AEIPzAE#v=snippet&q=be

ef&f=false. [Accessed: 15-Jul-2017].

[5] A. Tanner, "Why Cloud Browsers Are The Wave Of The

Future," Forbes , 10- Mar-2014. [Online]. Available:

https://www.forbes.com/sites/adamtanner/2014/03/10/why -cloud-

browsers-are-the-wave-of-the-future/#150af5b9305a. [Accessed: 15-Jul-

2017].

[6] "Hack Like a Pro: How to Hack Web Browsers with

BeEF," WonderHowTo, 02- Feb-2015. [Online]. Available: https://null-

byte.wonderhowto.com/how-to/hack-like-pro-hack-web-browsers-with-

beef-0159961/. [Accessed: 15-Jul- 2017].

[7] "Our Most Advanced Penetration Testing Distribution, Ever.," Kali

Linux. [Online]. Available: https://www.kali.org/. [Accessed: 15-Jul-

2017].

[8] "The CentOS Project," CentOS Project . [Online]. Available:

https://www.centos.org/. [Accessed: 15-Jul-2017].

[9] "Oracle VM VirtualBox - Downloads | Oracle Technology Network |

Oracle," Oracle VM VirtualBox - Downloads | Oracle Technology

Network | Oracle. [Online]. Available:

http://www.oracle.com/technetwork/server-

storage/virtualbox/downloads/index.html. [Accessed: 15-Jul- 2017].

... -BitM client-side: in this case the attacker may insert malicious JavaScript code or web-based malware [32] in the web page served to the victim (the end user). By such an approach, for example, an attack might be arranged along the lines of the Man-in-the-Browser (MitB) attack described in the "Related Work" section: the victim might be lead to download all kinds of malware to be installed in the web browser or, more simply, to deceptively use a Browser Exploitation Framework (BeeF) [33,34]. In practice all kinds of client-side attacks might be implemented. ...

Man-in-the-Middle (MitM), one of the best known attacks in the world of computer security, is among the greatest concerns for professionals in the field. Main goal of MitM is to compromise confidentiality, integrity and availability of data flowing between source and destination. However, most of its many variants involve difficulties that make it not always possible. The present paper aims at modelling and describing a new method of attack, named Browser-in-the-Middle (BitM) which, despite the similarities with MitM in the way it controls the data flow between a client and the service it accesses, bypasses some of MitM's typical shortcomings. It could be started by phishing techniques and in some cases coupled to the well-known Man-in-the-Browser (MitB) attack. It will be seen how BitM expands the range of the possible attacker's actions, at the same time making them easier to implement. Among its features, the absence of the need to install malware of any kind on the victim's machine and the total control it allows the attacker are to be emphasized.

Web Browser Attack Available: https://www

"Web Browser Attack," Pvamus, Mar-2009. [Online]. Available: https://www.pvamu.edu/Include/ITS/Vol3Issue2.pdf. [Accessed: 15-Jul2017].

How Browsers Work: Behind the scenes of modern web browsers

  • T Garsiel
  • P Irish

T. Garsiel and P. Irish, "How Browsers Work: Behind the scenes of modern web browsers," html5rocks, 05-Aug-2011. [Online]. Available: https://www.html5rocks.com/en/tutorials/internals/howbrowserswork/. [Accessed: 15-Jul-2017].

books?id=4fD7AAAAQBAJ&pg=PT5&lpg=PT 5&dq=countermeasure%2Bagainst%2Bbeef%2Bkali%2Blinux&source =bl&ots=qxPZaai-Ff&sig=lyfWjc9AMfDcvjfLos9VpjVhRsA&hl=en&sa=X&ved=0ahUK EwihqdH98LzVAhWHz4MKHRwoDAAQ6AEIPzAE#v=snippet&q=be ef&f=false

  • J Muniz
  • A Lakhani

J. Muniz and A. Lakhani, "Web Penetration Testing with Kali Linux," Google Books. [Online]. Available: https://books.google.ca/books?id=4fD7AAAAQBAJ&pg=PT5&lpg=PT 5&dq=countermeasure%2Bagainst%2Bbeef%2Bkali%2Blinux&source =bl&ots=qxPZaai-Ff&sig=lyfWjc9AMfDcvjfLos9VpjVhRsA&hl=en&sa=X&ved=0ahUK EwihqdH98LzVAhWHz4MKHRwoDAAQ6AEIPzAE#v=snippet&q=be ef&f=false. [Accessed: 15-Jul-2017].

Why Cloud Browsers Are The Wave Of The Future

  • A Tanner

A. Tanner, "Why Cloud Browsers Are The Wave Of The Future," Forbes, 10-Mar-2014. [Online]. Available: https://www.forbes.com/sites/adamtanner/2014/03/10/why-cloudbrowsers-are-the-wave-of-the-future/#150af5b9305a. [Accessed: 15-Jul-2017].

CentOS Project Available: https://www.centos.org/. [Accessed: 15

  • Centos The
  • Project

The CentOS Project," CentOS Project. [Online]. Available: https://www.centos.org/. [Accessed: 15-Jul-2017].

Oracle Technology Network | Oracle Oracle VM VirtualBox-Downloads | Oracle Technology Network | Oracle

  • Vm Oracle
  • Virtualbox-Downloads

Oracle VM VirtualBox-Downloads | Oracle Technology Network | Oracle," Oracle VM VirtualBox-Downloads | Oracle Technology Network | Oracle. [Online]. Available: http://www.oracle.com/technetwork/serverstorage/virtualbox/downloads/index.html. [Accessed: 15-Jul-2017].