HTTP Penetration Suite

Attacks from browsers are increasing in sophistication and researchers are focusing more resources in this area. Recently, a javascript port scanner was published that was based on a SPI Dynamics paper. The scanner is entirely encapsulated within the web browser.

It doesn’t take an Einstein to start linking web application attack vectors. In the “Inter-browser Communication” (IBC) blog I illustrated one basic method to maintain indirect real-time control over a browser (including data transfer). Using IBC it possible to load tools (in real-time) such as a port scanner to the controlled browser and retrieve the results. Following this logic, an entire HTTP Suite can be developed to attack internal networks using the browser as an unsuspecting proxy. Not to mention the extra dimensions that XSS viruses add.