Zeus, which is a real-world example of a Trojan containing man-in-the-browser functionality, hooks WinInet in order to spy on and tamper with network traffic. Internet Explorer uses wininet.dll for networking functionality. Naturally, Necko’s previously mentioned interfaces can also be hooked by an external program, but building a browser extension is probably much easier, at least in Firefox’s case. The payload included in a response can then be read and modified using the nsITraceableChannel interface, for example. Similarly, all incoming HTTP responses in the browser can be captured by listening to notifications with the http-on-examine-response topic. The modified data is put back in the HTTP channel and the request can resume normally. The malware can use the upload stream of this channel to obtain the data it wants to modify. The nsIHttpChannel interface includes an upload channel, nsIUploadChannel. Associated with each arriving notification is an HTTP channel that implements the nsIHttpChannel interface. In the case of incoming traffic, malware listens to a notification with the http-on-modify-request topic. Each notification has a topic that tells whether it deals with a request or a response. A malicious extension implementing this interface then receives a notification each time a request or response takes place.Īssume an evil browser extension wants to tamper with outgoing traffic. In practice, this happens by implementing a listener interface called nsIObserver. This allows the extensions to observe and modify all HTTP requests the browser makes and the responses it receives. Sampsa Rauti, Ville Leppänen, in Emerging Trends in ICT Security, 2014 Neckoįirefox browser extensions can easily use Necko’s components through XPCOM interfaces.