Explore the evolution and future of Man-in-the-Browser (MITB) trojans in this 54-minute conference talk from AppSecUSA 2017. Dive into the history of MITB attacks, current client-side defense mechanisms, and the development of next-generation trojans. Learn about advanced capabilities such as HTTP header manipulation, metamorphic JavaScript, and HPKP suicide attacks. Discover strategies to combat sophisticated MITB threats and gain insights into the future of application security. Examine real-world demonstrations and discuss potential countermeasures against evolving cyber threats.
Crafting the Next-Generation Man-in-the-Browser Trojan
Overview
Syllabus
Introduction
What are ManintheBrowser attacks
History of JEN
Timba
Trojan Capabilities
Top 10 Trojan Variants
Financial Losses
Content Security Policy
HTTP Public Key Pinning
SSL Transport Security
Headers
Trojan
Starting point
Extensions are dangerous
Requirements
C2 Requirements
Web Requests API
Can you modify the response body
Debugging the browser
Changing the DOM
Architecture
Demos
Testing
Grabber
Dumb Taming
Strategy
Polymorphism
Our thoughts
Other solutions
Realtime monitoring
Final demo
Wrapping up
Conclusion
How easy is it
Traditional approach
Who can be tricked
Extension icons
Missing
Mozilla
CSP in Meta Tags
Taught by
OWASP Foundation
