Skip to content
/ BITB Public

Browser In The Browser (BITB) Attack - Turkcell FastLogin/HızlıGiriş

omerwwazap.github.io/BITB/

License

Unlicense license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

omerwwazap/BITB

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
ReadmeAssets
ReadmeAssets
 
 
Turkcell
Turkcell
 
 
.gitattributes
.gitattributes
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.html
index.html
 
 

Repository files navigation

Browser In The Browser (BITB) Attack - Turkcell FastLogin/HızlıGiriş

BITB template for Turkcell's FastLogin/HızlıGiriş SSO service. Used in internal Phishing attacks as such it is designed to NOT be an exact copy of the real SSO. Demo Link: Here

Information

  • Detects Color Preference for the browser. Dark or Light
  • Selection fix o prevent unnecessary selection for certain regions.
  • CSS to use System Default Fonts instead of browser fallback fonts
  • Has slight delay to the pop-up window as it appears.
  • *On phones and small displays, it opens the BITB as a new page/tab.
  • *Dragging the windows doesn't work on phones, didn't bother to add the functionally.

Demo

Demo-BITB

Original vs BITB

RealvsFake

Detecting BITB

PC ✅ | Phone ❌ -> Means the detection technique works on PC's but not on Phones

  • Dragging the Window PC ✅ | Phone ❌
    • Drag the window to the edge of the browser. If the window cannot escape the browser then it's not a real window.
    • Demo-Drag
  • Minimize / Close the Windows PC ✅ | Phone ❌
    • Minimize or Close button will not work as intended as CSS/JS doesn't have the functionality to mimic the actual action and since there is no open windows to close or minimize.
  • Maximize the Windows PC ✅ | Phone ❌
    • Maximize button will not work as intended as CSS/JS doesn't have the functionality to mimic the actual action.
    • Demo-Maximize
  • Resizing the Window PC ✅ | Phone ❌
    • This effect could be mimicked with CSS/JS but this repo doesn't have it.
  • Checking the Link PC ❌ | Phone ✅
    • This repo opens the BITB Page as a new tab on small screen devices as such custom BITB url's wont work and can be easlly detected. This technique doesnt work on PC's.
    • Phone-Example
  • Browser extension PC ✅ | Phone ❌
    • @odacavo released a great browser extension that can detect and warn users about embedded iframe.
    • Repo Available Here.

Using

  • Simply add a backend service to the BITB to receive the inputs.

Credits

Disclaimer

Usage of these templates for attacking targets without prior consent is illegal. It's the end user's responsibility to obey all applicable laws. The developer is not responsible for any misuse of these templates.

About

Browser In The Browser (BITB) Attack - Turkcell FastLogin/HızlıGiriş

omerwwazap.github.io/BITB/

Topics

bitb

Resources

Readme

License

Unlicense license
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

FastLogin BITB Latest
Aug 2, 2022

Languages