Browser Pivoting

Man-in-the-browser (MITB) attack to hijack a compromised user's authenticated web sessions. Examples and how it carry out, mitigation and detection.

Browser Pivoting

A Browser Pivot is a man-in-the-browser attack to hijack a compromised user's authenticated web sessions, where an attacker relays malicious web commands directly through a victim’s browser.  It’s an extremely effective attack, very few mitigations are available, and those that are available are rarely implemented, leaving users and systems at risk.

Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.

A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet.

Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication (2FA).

Browser Pivoting Process

A typical attack works like this:

  1. Compromise the victim by any typical means. A typical ATP approach is to send a  PDF with some kind of malware as the payload.
  2. Inject proxy code in the victim’s browser, e.g. using tool that support browser pivoting.
  3. Configure the attacker’s browser to send requests through the victim’s browser.
  4. Wait for the victim to log into a valuable asset, like their bank account.
  5. Perform any action on behalf of the authenticated victim, like initiate a transfer of funds.


Browser Pivoting Examples

Name Description
Cobalt Strike Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.
Dridex Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.
TrickBot TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.
Ursnif Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).

Browser Pivoting Mitigation and Detection


Mitigation Description
User Account Management Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.
User Training Close all browser sessions regularly and when they are no longer needed.


This is a difficult technique to detect because adversary traffic would be masked by normal user traffic. No new processes are created and no additional software touches disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for process injection against browser applications