Headless Browser Hide and Seek presented at AppSecUSA 2014

by Sergey Shekyan, Bei Zhang,

Summary : Headless browsers have quietly become indispensable tools for security teams, researchers, and attackers focusing on web applications. Tools like PhantomJS enable anyone to interact with highly dynamic websites to find vulnerabilities, performance bottlenecks, and even automate attacks.
This presentation will dive into the offensive use of these tools, and how to counteract them in practice. This will include techniques used by attackers to find vulnerabilities in websites, and how security teams can use these techniques to perform their own daily security practice.
With these base established, we will delve into an extended analysis of techniques that malicious browsers use to impersonate real end-users, and the countermeasures security teams can use to expose them. We will provide examples of how to collect threat forensics and attacker attribution data when malicious browsers are detected on your site. Lastly we will review vulnerabilities in headless browsers themselves and provide recommendations to ensure that your tools aren't turned against you.
Introduction to Headless Browsers
- What it is and how it works
- Legitimate uses and how you can benefit
- Malicious Use of PhantomJS
- Impersonate a legitimate browser
- Fuzzing a web application
- Find performance bottlenecks
Exploiting the Exploiter
- How attackers attempt to hide
- How to expose them on your site
- Additional evasion and techniques and countermeasures
- Example of attacking with phantomJS with subsequent detection
- Arbitrary code execution on up-to-date remote PhantomJS
- Various ways of abusing remote PhantomJS
Counter-attacking and Attribution
- How to turn a headless browser against the attacker
- Vulnerabilities in PhantomJS
- Best practices for using headless browsers safely