Browser Pivoting

A Browser Pivot is a man-in-the-browser attack to hijack a compromised user's authenticated web sessions. Cobalt Strike implements browser pivoting with a proxy server that injects into 32-bit and 64-bit Internet Explorer. When you browse through this proxy server you inherit cookies, authenticated HTTP sessions, and client SSL certificates. Browser Pivoting is a powerful way to demonstrate risk with a targeted attack.

To setup Browser pivoting, go to [beacon] -> Explore -> Browser Pivot. Choose the Internet Explorer instance that you want to inject into. You may also decide which port to bind the browser pivoting proxy server to as well.

The process you inject into matters a great deal. Inject into Internet Explorer to inherit the user's authenticated web sessions. Modern versions of Internet Explorer spawn a process for each tab. If your target uses a modern version of Internet Explorer--you must inject into a child tab to inherit session state.

Generally, child tabs share all session state. There is one exception to this. Internet Explorer 11 seems to have broken how it shares client SSL state. It's not predictable. If you inject into the tab process associated with a client SSL session--it will work though.

Identify an Internet Explorer child tab process by looking at the PPID value in the Browser Pivoting setup dialog. The process is not a child tab when PPID references explorer.exe. The process is a child tab when the PPID references iexplore.exe. Cobalt Strike will show a checkmark next to the processes it thinks you should inject into.

Once Browser Pivoting is setup, set up your web browser to use the Browser Pivot Proxy server. The Browser Pivot Proxy server is an HTTP proxy server.


You may browse the web as your target user once browser pivoting is started. Beware that the browser pivoting proxy server will present its SSL certificate for SSL-enabled websites you visit. This is necessary for the technology to work.

The browser pivoting proxy server will ask you to add a host to your browser's trust store when it detects an SSL error. Add these hosts to the trust store and press refresh to make SSL protected sites load properly.

If your browser pins the certificate of a target site, you may find its impossible to get your browser to accept the browser pivoting proxy server’s SSL certificate. This is a pain. One option is to use a different browser. The open source Chromium browser has a command-line option to ignore all certificate errors. This is ideal for browser pivoting use:

chromium --ignore-certificate-errors --proxy-server=[host]:[port]

The above command is available from View -> Proxy Pivots. Highlight the Browser Pivot HTTP Proxy entry and press Tunnel.

To stop the Browser Pivot proxy server, type browserpivot stop in its Beacon console.

You will need to reinject the browser pivot proxy server if the user closes the tab you're working from. The Browser Pivot tab will warn you when it can't connect to the browser pivot proxy server in the browser.

Notice: OpenJDK 11 has a TLS implementation bug that causes ERR_SSL_PROTOCOL_ERROR (Chrome/Chromium) and SSL_ERROR_RX_RECORD_TOO_LONG (Firefox) when interacting with https:// sites. If you encounter these errors--downgrade your team server to Oracle Java 1.8 or OpenJDK 10.

How it Works

Internet Explorer delegates all of its communication to a library called WinINet. This library, which any program may use, manages cookies, SSL sessions, and server authentication for its consumers. Cobalt Strike's Browser Pivoting takes advantage of the fact that WinINet transparently manages authentication and reauthentication on a per process basis. By injecting Cobalt Strike's Browser Pivoting technology into a user's Internet Explorer instance, you get this transparent reauthentication for free.