Browser Hijacking presented at DeepSec 2007

by Daniel Fabian,

Summary : Current XSS attacks make use of the document object model to steal session credentials from unsuspecting users, allowing the attacker to impersonate his victim. Well known attacks also include relogin trojans or keyloggers. These attacks work well in some environments, but are not really suited for complex applications like e.g. online banking systems, where individual TAN codes are needed to complete a transaction. This talk introduces Trabbler, the first highly versatile “cross site scripting Trojan”. Once injected via XSS, Trabbler takes control over the victim ́s current session, allowing the attacker to watch and manipulate its actions on the vulnerable website. During the hijacking attack, instances of Trabbler communicate with a central control server, which gives it botnet-like capabilities. Trabbler ́s design is modular, meaning custom script-modules can be downloaded to the infected browser. This makes it useful for very specific attacks, e.g. manipulating a transaction during execution. Other modules include a keylogger and a browser camera, which allows the attacker to watch his victim ́s actions in real time. In the talk, we will discuss Trabbler ́s architecture and code and give practical examples of its application.