BITB (browser in the browser)Attack
make phishing nearly undetectable using BITB attack !!
✅ what is the BITB attack?
BITB attack browser in the browser attack is an advance and more sophisticated phishing attack that can trick users into believing the fake website is real.
it actually works on making users believe a fake SSO window is real.
not clear? ok, have you every login in canva ? you got a window similar to this :
the new SSO window allow you to autheticate with google.
▶️ what is SSO login?
SSO is single sign on authentication machanism that allow you to sign in once and then you can access all the resources , without entering username and password again and again. eg : google , once you login with google account you can access youtube,drive,gamail and other google product , this is called SSO login.
now from the above image, you can see we got a new pop-up window that is of google. if we look at the URL parameter, then it is SSL protected and has HTTPS, also there is no IDN homographic attack, it's a proper google domain.
but now the trick is that it's a completely independent window, but a developer can create the same window using the <ifram> tag in HTML and make it more believable as an independent SSO window by using the right CSS and JS. But in actuality, it would be just a window inside a window, not an independent window !!
take a look at this image by mr.d0x.
both are looking the same, have the same domain, SSL padlock icon, and a complete clone.
✅ How to perform a BITB attack?
in order to get a simple feel of how a BITB attack would work, then I have created a BITB framework: https://github.com/surya-dev-singh/BITB-framwork
- clone the git repo on your system.
- it has several templates to work on popular websites.
- you can modify the base/host website by entering custom html and css in main.html file , because the base website is not mobile optimized yet.
- a fake SSO window will allow you to capture the logins :
✅ How to detect BITB attacks?
since this attack is based on the HTML code, it is hard to detect and difficult to create an indicator of compromise (IOC) . one possible way to detect is that check out if the pop-uped SSO window is able to escape out of the browser. because if it would be a BITB attack it will utilize the <iframe> tag, which is like a window inside the window, but it can't really escape out browser.
— — — — — — — — — — — — — — — — — — — — — — — — — — — —
THANK YOU FOR READING MY ARTICLE !! 👊👊
please support me by following me on medium and another social platforms:
https://twitter.com/kryolite_secure/
https://www.instagram.com/kryolite_security/
https://github.com/surya-dev-singh/
you guys can subscribe to me 🙌on YouTube: I post walkthroughs and other ethical hacking-related videos there.
some of my other writeups are below :
