MITB - Man in the Browser

Steiner, Alexander Josef and von Känel, Sacha (2021) MITB - Man in the Browser. Other thesis, OST Ostschweizer Fachhochschule.

Full text not available from this repository.

Abstract

Introduction
As security measures in web technologies improve, hackers responded with a highly specialized "Man in the Browser" attack. An attacker may intercept and modify e-business transactions or use the victim's application on behalf of the victim's by infecting the victim browser with such malware. TLS/SSL does not protect, as the malware intercepts prior to network encryption.

The "Man in the Browser" attack is hardly detectable by web application firewalls. There is no distinguishing characteristic between the intruder and the victim, as the IP address or browser UserAgent, since the malware runs on the victim's computer.

A fully working prototype of an E-Banking "Man in the Browser" attack was developed to raise awareness and elaborate future defence strategies.

Approach
In the first stage of the project, the team analyzed different techniques to hook and remotely control the victim browser. As the malware must not require local admin privileges, the team decided to implement a Google Chrome Extension. The installation of the malware is not part of the project. Second, several open-source C2 Frameworks (Command & Control Frameworks) were analyzed, and Mythics has been chosen for this work. The combination of the Google Chrome Extension, remotely controlled by Mythics C2 framework was then tested against two E-banking systems. Furthermore, the report outlines essential defence strategies and mitigation techniques against this kind of attack.

Result
As a result of this project, a Google Chrome Extension, named Areion, was developed. Areion is a remote-controlled application supporting the C2 framework Mythic. It is fully extendable and allows users to add modules for specific websites dynamically. Two e-banking modules were developed, and Areion was extensively tested against these websites as part of the project. From the knowledge gained, the team created security measures to protect one's websites against this form of attack. The results will be showcased at the two banks, and our knowledge hopefully will improve the overall security of their e-banking system.

Item Type: Thesis (Other)
Subjects: Topics > Software > Testing and Simulation > Unit-Testing
Area of Application > Banking & Finance
Area of Application > Web based
Area of Application > Security
Technologies > Programming Languages > Python
Technologies > Programming Languages > Java Script
Technologies > Databases > PostgreSQL
Technologies > Web > HTML5
Technologies > Web > CSS2/CSS3
Divisions: Bachelor of Science FHO in Informatik > Bachelor Thesis
Depositing User: HSR Deposit User
Contributors:
Contribution
Name
Email
Thesis advisor
Bütler, Ivan
UNSPECIFIED
Date Deposited: 19 Mar 2021 09:44
Last Modified: 19 Mar 2021 09:44
URI: https://eprints.ost.ch/id/eprint/903

Actions (login required)

View Item
View Item