Open source privacy tool now available for Chrome and Firefox

Behave! browser extension alerts users to website port scanning, DNS rebinding

A new open source browser extension aims to improve users’ security and privacy by detecting port scanning, access to private IPs, and DNS rebinding in Chrome and Firefox.

The idea behind Behave!, says developer Stefano Di Paola, chief technology officer and co-founder of Italian security firm Minded Security, is to fill the security gaps left by existing mainstream anti-malware packages.

“There’s a lot of alternative attacks on the client side with minimal fingerprint, that attract less attention and that might go unnoticed on several environments,” he tells The Daily Swig.

“For example, local port scan, cross protocol attacks, and DNS rebinding are very old attacks that are still possible and difficult to completely fix by browser vendors, because they abuse core features of the web ecosystem.”

He adds: “In particular, having an extension that monitors browser behavior has some advantage, such as sharing the same environment and information such as already resolved IPs, or sharing the same parser implementation, which will minimize exposition to specific issues such as TOCTOU (Time Of Check to Time Of Use)".

A scanner darkly

Port scanning is not only a potential security risk, but also has implications for user privacy. The practice hit the headlines recently, when a number of companies – including, most notably, eBay – were discovered to be carrying out port scans on their customers.

The aim is to weed out scams by checking whether compromised computers are being used to make fraudulent purchases on their sites – but many users are concerned about the implications for privacy and security.


RECOMMENDED Latest web hacking tools – Q2 2020


Behave! automatically checks whether port scanning is taking place, alerting users if the number of ports or protocols used during a browser session exceeds a specific limit – 20 by default, but settable by the user.

The browser extension also alerts users when a web page accesses an IP belonging to loopback addresses IPv4 127.0.0.1/8 and IPv6 ::1/128, along with private networks IPv4 10.0.0.0/8 – 172.16.0.0/12 – 192.168.0.0/16, and unique local addresses IPv6 fc00::/7.

The tool also keeps track of whether a hostname is resolved with multiple IPs, and will alert the user if there’s any mixing between public and private IPs.


Privacy-focused browser extension Brave! detect website port scanningBehave! is currently available for Chrome and Firefox

Keep it simple

Di Paola sees use cases for Behave! in the home-working sphere, where mixed home-VPN-work networks could expose resources.

“IoTs are usually exposed with less security in the intranet,” he says, and “UPnP-aware devices such as smart TVs are sometimes poor in security.”

He says that in the future he hopes to add new features to Behave!.


Read more of the latest browser security news


“Behave! tries to keep it simple with a single goal in mind: monitor the behavior of scripts running in a page. And at the moment it’s even simpler, it monitors just the communication attempts to private IPs,” he says.

“But there’s some other interesting attacks that it might cover as well, and simple features such as white listing web pages or hostnames that are expected to perform local connections, or track back the code performing the suspicious actions,” he says.

And, he adds, if there turns out to be a demand, Behave! could also be developed for other browsers: “If their API supports what’s needed, I would be glad to make it work for Edge and Safari, too.”


DEEP DIVES What is Fetch Metadata? How to protect your web resources from information-stealing attacks