Browser security tutorial
Depending on the browser used, there are common settings for different actions and settings specific to each browser.
Chrome, like other browsers, has home page settings, font size, page zoom, search engine used.
Within advanced settings, we can set the browser's security level (protection against dangerous sites), we can manage the settings for secure https links and SSL certificates,
we can set the deletion of the data collected by the browser (deleting the browsing history, cookies, cache, and more).
It's good to set the security settings to the highest level.
In the settings menu, the Firefox browser contains local settings and accesses to associated hardware devices (webcam, microphone).
There are other settings for the security of our web surfing.
And the Edge browser (from Windows 10) has increased its security settings
You can block pop-ups, add-ons, save passwords, set access to geolocation.
You can also manage cookies and other navigation session data.
In conclusion, regardless of the browser used, for our security, we have to consider a few elements:
- browser to be up-to-date.
- validate its automatic update.
- block pop-ups, plug-ins, insecure sites.
- appropriate cookie settings.
- using a serious antivirus up-to-date.
However, no matter how we protect our browser settings, it is not enough. The most important thing is not to click on any button or link, either in the email, the web page or the social networks, unless we are sure what will happen.
However, cross-site scripting vulnerabilities (attacks) refer precisely to the execution of a malicious script in the client's browser, as a result of which the attacker gains access to the client's browser, accessing passwords, browsing history, cookies, or sending commands on the webcam, the microphone, the displayed page, the alert messages of the attacked client.
We'll exemplify an attack type using the XSS browser vulnerability, using the BeEF application from Linux.
Pay attention! Do not use this app for real victims. The BeEF tool was designed to test the vulnerabilities of our local network in order to protect us from external attacks.
BeEF is a testing tool for web browser security.
Kali Linux has preinstalled it
In the case of another Linux distribution, we will install BeEF using the instructions:
#apt-get install beef-xss
We start the application with the BeEF icon and will open the Terminal:
Note that in order to access the victim's browser, it will have to run the script:
The victim can be any user who accesses the attacker's website, which in the section <head>, contains the instruction:
Once the victim clicks on the sent link, the hook.js script will run in the browser and the attacker's browser will take control of the victim's browser (the victim's browser is hooked).
To make a demonstration in the local network (without attacking any victim), the BeEF application has a demo page, which we visit at:
and which looks like this:
Click on one of the two buttons on the left and the hook.js script will be executed.
Now the attacker typing in the browser:
which will open the login window:
We type "beef" on both the user and the password and log in to the application.
Click on Online browsers and we have access to the victim's browser.
In addition to the information about, browser, network, operating system, peripherals, there is the Commands menu, where we can give commands to the victim's browser.
You can request that the webcam and microphone be turned on in the victim's PC.
You can start an audio file or a video on the victim's PC.
Social networking data can be obtained if it is saved in the browser on the victim's PC.
An Administrator account can be created on the victim's router.
Even worse, the attacker has access to cookies and a variety of other browser-enabled information that allows the victim's sites and accounts to be accessed on behalf of the attacker.
It is true that after the attacker sends the order, the victim has to give an acceptance (that is a click), but it is not a problem, because the victim's text is customized and may appear as an application update, a warning message or advertisement.
Visit my websites:https://www.jwebsaints.com