In our modern digital landscape, web browsers play a crucial role as gateways to large amounts of information and services. However, recent developments have demonstrated that the very features that make browsing convenient and seamless can be exploited by malicious actors through a potent threat vector known as the “Browser-in-the-Middle” (BitM) attack. Most of the Multi-Factor Authen- tication (MFA) security measures are shown to be ineffective to prevent BitM attacks. However, the FIDO2 Project that includes CTAP2 protocol that works together with the Web Authentication API (WebAuthn API) has been proven to be a virtually unattackable MFA method by current state-of-the-art BitM implementations. At least until now. This work expands the range of applica- ble scenarios where BitM attack can be used by taking its technical architecture a step further: we show how the effectiveness of BitM—used along a Reflected XSS vulnerability exploitation—can be improved resulting in the novel BitM + attack that proves to be capable of defeating any available MFA method includ- ing FIDO2/WebAuthn solutions that rely on hardware dongles and represent the only method of authentication that went undefeated by virtually any phishing attack approach to date.
Defeating FIDO2/CTAP2/WebAuthn using browser in the middle and reflected cross site scripting
Christian Catalano;Andrea Chezzi;Franco Tommasi
2025-01-01
Abstract
In our modern digital landscape, web browsers play a crucial role as gateways to large amounts of information and services. However, recent developments have demonstrated that the very features that make browsing convenient and seamless can be exploited by malicious actors through a potent threat vector known as the “Browser-in-the-Middle” (BitM) attack. Most of the Multi-Factor Authen- tication (MFA) security measures are shown to be ineffective to prevent BitM attacks. However, the FIDO2 Project that includes CTAP2 protocol that works together with the Web Authentication API (WebAuthn API) has been proven to be a virtually unattackable MFA method by current state-of-the-art BitM implementations. At least until now. This work expands the range of applica- ble scenarios where BitM attack can be used by taking its technical architecture a step further: we show how the effectiveness of BitM—used along a Reflected XSS vulnerability exploitation—can be improved resulting in the novel BitM + attack that proves to be capable of defeating any available MFA method includ- ing FIDO2/WebAuthn solutions that rely on hardware dongles and represent the only method of authentication that went undefeated by virtually any phishing attack approach to date.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
