Browser-Based Covert Data Exfiltration
In the Proceedings of the 9th Annual Security Conference
Las Vegas, Nevada
April 7-8, 2010
Current best practices heavily control user permissions on network systems. This effectively mitigates many insider threats regarding the collection and exfiltration of data. Many methods of covert communication involve crafting custom packets, typically requiring both the necessary software and elevated privileges on the system. By exploiting the functionality of a browser, covert channels for data exfiltration may be created without additional software or user privileges. This paper explores novel methods of using a browser’s JavaScript engine to exfiltrate documents over the Domain Name System (DNS) protocol without sending less covert Hypertext Transfer Protocol (HTTP) requests.
One technique explored in this paper is the exploitation of DNS prefetching to create covert exfiltration channels. In this technique, anchor elements are dynamically generated and added to the document body. This anchor element is created with custom subdomains in the "href" attribute, providing a covert storage channel for data exfiltration. When it is added to the document body, a DNS request will be immediately sent, prefetching the domain in case the link is clicked on later.
This paper also explores several techniques that work when DNS prefetching is disabled. Using combinations of "NXDomain" replies and "black-holing" requests allows bi-directional storage and timing channels to be created without ever sending an HTTP request. However, these techniques require a novel method of preventing the JavaScript from halting after the DNS request. This can be done using the "setTimeout" function to create a psuedo-recursive function that calls itself before halting on a DNS query.
[pdf]
