Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/mindedsecurity/behave
Behave! A monitoring browser extension for pages acting as "bad boi"
https://github.com/mindedsecurity/behave
Last synced: about 1 month ago
JSON representation
Behave! A monitoring browser extension for pages acting as "bad boi"
- Host: GitHub
- URL: https://github.com/mindedsecurity/behave
- Owner: mindedsecurity
- License: gpl-3.0
- Created: 2020-06-09T14:31:46.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2020-07-10T15:32:20.000Z (over 4 years ago)
- Last Synced: 2024-08-01T13:26:35.332Z (4 months ago)
- Language: JavaScript
- Homepage:
- Size: 165 KB
- Stars: 329
- Watchers: 16
- Forks: 22
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-security-awesome - behave
- awesome-hacking-lists - mindedsecurity/behave - Behave! A monitoring browser extension for pages acting as "bad boi" (JavaScript)
README
# Behave!
A *(Still in Development)* monitoring browser extension for pages acting as bad boys.
**NB**: This is the code repository of the project, if you're looking for the packed extensions:
Firefox: https://addons.mozilla.org/en-US/firefox/addon/behave/
Chrome: https://chrome.google.com/webstore/detail/mppjbkhgconmemoeagfbgilblohhcica/
## Introduction.
*Behave!* monitors and warn if a web page performs any of following actions:
- Browser based Port Scan
- Access to Private IPs
- DNS Rebinding attacks to Private IPs
Here's *Behave!* pointing the finger to at.tack.er page in the logs:
## Port Scan Monitoring
*Behave!* will alert the user if the number of port or protocol used during a browser session exceeds a specific limit.
The limit is 20 by default, but it can be changed by the user via preferences.
Since Behave does not perform any DNS request,
## Direct access to Private IPs Monitoring
*Behave!* will alert if a web page tries to directly access to an IP belonging to any the following blocks:
- Loopback addresses IPv4 **127.0.0.1/8**
- Loopback addresses IPv6 **::1/128**
- Private Networks IPv4 **10.0.0.0/8** - **172.16.0.0/12** - **192.168.0.0/16**
- Unique Local Addresses IPv6 **fc00::/7**
### DNS Resolution to Private IPs
If a malicious script instructs the Browser to connect to a FQDN whose authoritative DNS resolves to a private IP
*Behave!* checks if the resolved IP is private.
Anyway, the IP information of a resolved hostname is available only if the port is open.
Since *Behave!*, in order to prevent TOCTOU issues, does not perform any external DNS request, if the port is closed there will be no IP resolution available and therefore, no alert.
### DNS Rebinding Bypasses
*Behave!* does not perform any direct DNS request, and the IP is taken from the intercepted response.
That means that it's not exposed to any TOCTOU attack like DNS Rebinding.
## DNS Rebinding Monitoring
*Behave!* keeps track if a hostname is resolved with multiple IPs, and will alert if there's some mixing between public IPs
and private ones.
# Install
*Behave!* is available as packed extension on:
Firefox Extension: https://addons.mozilla.org/en-US/firefox/addon/behave/
Chrome Extension: https://chrome.google.com/webstore/detail/mppjbkhgconmemoeagfbgilblohhcica/
However, if like you want to play a bit with the code you can:
* Clone it OR download the zip and unzip
* Open Google Chrome/Chromium go to chrome://extension
* Activate Developer Mode
* Push "Load Unpacked" and choose the Behave directory.
* Enjoy *Behave!*
# Wanna Test Behave! ?
See what happens when you go to one of the following:
Singularity of Origin DNS Rebinding Attack:
http://rebind.it:8080/manager.html
JavaScript Port Scan:
http://jsscan.sourceforge.net/jsscan2.html
**Nota Bene:**
At the moment it won't alert if DNS Rebinding attack is performed on non private IPs such as:
https://www.alf.nu/BrowserCacheAndDnsRebinding
# Wanna Help?
You are welcome to help!
Feel free to create an Issue or fork the project and make a PR.