Hijacking browser TLS traffic through Client Domain Hooking

Written on May 8, 2019

I am releasing a paper that describes a new variation of a man-in-the-middle (MITM) technique which, under certain circumstances, allows to permanently hijack browsers encrypted HTTP communication channel flow and compromise its confidentiality and integrity.

The technique has been named as “Client Domain Hooking”, since it relies on a particular way of achieving client-side communication endpoint persistency by forcing an application to communicate only through a chosen attacker-controlled domain through a single intercepted HTTP request and without breaking applications functionality. This technique was originally implemented in the ‘Modlishka’ reverse proxy.

This paper also contains conclusions from a review of the current security posture of browser-based (desktop and mobile) applications and Top 1000 Alexa web applications from the HTTP Strict Transport Security (HSTS) security mechanism perspective.

As it appeared, 80% of the reviewed web applications did not use the HSTS mechanism.

You can find the paper here:

‘Hijacking browser TLS traffic through Client Domain Hooking - Piotr Duszynski.pdf’

SHA256:c2d9bf2062b310b92cab5971d5c4454e8bc3e288720cf3241da17f885c7ec9ce

Along with the paper, I will shortly release an updated version of the ‘Modlishka’ tool, with capabilities to diagnose browser-based client applications from the described attack perspective. Developers should find this tool helpful in pin pointing and fixing relevant security issues in their applications. Stay tuned.