Taking over control of a user's browser

People often ask me whether simply opening a malicious website can affect their computer, whether simply clicking on a link can infiltrate and take over their computer. My answer is "yes". And in this article I will explain how this is possible and describe ways to effectively defend yourself. I'll try to give you a simple overview of the process of an attack on a user's web browser, without too much technical detail. For demonstration purposes, I have created a virtual lab where the target browsers will be Microsoft Edge, Mozilla Firefox and Google Chrome running on Microsoft Windows 10. It is important to emphasize that on the target computer running MS Windows 10, all browsers had the latest updates installed and the system contained antivirus protection enabled using Windows Defender. No other antivirus guard was installed on the system.

How does such an attack work?

I used the BeEF framework - Browser Exploitation Framework to simulate the attack on the web browser. BeEF provides a library of functions that allow commands to be sent remotely to a victim's web browser using the JavaScript programming language. The server on which BeEF is installed pretends to be an ordinary web server that provides libraries of JavaScript functions. Developers often use third-party JavaScript libraries to save themselves the trouble of programming. Using a third-party library can provide them with various features that will enhance the appeal of their site, such as various animation features. However, they rarely examine the content of the entire library they choose to use. This is why this attack is so dangerous. This is where the magic of the entire BeEF framework comes in. All you have to do is create any web page and add one line of code to it with the sole purpose of providing a connection back to the C2 server. A C2 server, or command & control, is a computer that can send commands to computers connected to it. The following diagram shows the flow of this attack.

web browser flow attack diagram

Now let's assume that we have created a C2 server and we have successfully run the BeEF software on it. We have also managed to create a website and import the library that handles the connection to the C2 server. Everything is ready and now we just need to get the victim to open the website. For this purpose we can use, for example, social engineering techniques. Phishing emails, phishing scams and others can certainly be used. Various social engineering techniques have been discussed in this article.

For demonstration purposes, I have created a very simple web page that informs the user that there is nothing for him to find on this site. However, if the user were to look at the source code, they would see that a JavaScript library called jQuery.js is imported into the page. The official jQuery library offers developers the ability to easily manipulate elements of a web page to make its content attractive to users. A fake library with this name can thus hold less suspicion.

After the victim opens the fraudulent site and the connection to the C2 server is successfully established, the connected victims can be seen in the sidebar of the BeEF web interface. Thus, in the Online Browsers category, the connected victims, their browser and IP address can be seen. I will keep all IP addresses and domain names obscured in this article.

At this point, the attacker only needs to select a specific victim and execute a command from the framework library. The BeEF framework contains scripts that can be used to trigger various pop-ups on the victim's computer, take a webcam snapshot, or take a screenshot of the system. The following figure shows how easy it is to select a specific command and execute it.

For a concrete demonstration of the use of the BeEF framework, I chose the case of triggering a message in the user's browser. I chose the appropriate command from the command library, filled in the text to be displayed to the user and executed it.

The moment I launched the attack with the Execute button, the following window appeared on the target computer in Microsoft Edge.

PopUp window in Microsoft Edge

eng: You've just been hacked

The success of this sample attack proves that the attacker is able to remotely execute JavaScript code on the victim's computer.  I repeated the same procedure for Mozilla Firefox and Google Chrome and achieved the same result.

PopUp window in Microsoft Edge

Pop Up window in Google Chrome

It is likely that the attacks described above would not work if the user had a good antivirus program installed on their computer or if the company had a properly configured web application firewall. The BeEF framework is a well-known tool in the cybersecurity industry, which is mainly used to demonstrate attacks on web browsers. But precisely because it is an open source tool, it can be customized and used for much more sophisticated attacks. With this article, I wanted to demonstrate that even simply opening a web page can have a significant negative impact.

Users can avoid these attacks by following simple principles of safe web surfing. This means being cautious and avoiding mindlessly opening emails or visiting unfamiliar sites. It is very important to regularly install web browser security updates. The only complete defence against this type of attack is to disable JavaScript support in the browser, but this can result in most websites being unusable. There are also several browser add-ons that can easily identify this attack. For example, No-Script Suite Lite can be used for Google Chrome and Mozilla Firefox. In a corporate environment, deploying a web application firewall is also recommended.