I built a Firefox extension to detect Adversary-in-the-Middle attacks in real time.

The core idea: instead of chasing blacklists (a losing game when domains cost $3),

look at what the proxy cannot easily hide.

Detection runs across four layers:

- DNS: entropy, punycode/homograph, typosquatting, subdomain anomalies

- HTTP headers: missing CSP/HSTS, proxy header signatures

- TLS: certificate age anomalies

- DOM: MutationObserver scanning for domain mismatch between the current URL

and page content — this is the killer signal against Evilginx-style kits

The engine is pure Rust compiled to WASM. JS is a deliberately thin interface

layer only — a conscious security decision.

Tested against a live Evilginx deployment: 1.00 CRITICAL. Zero false positives

on 10+ legitimate sites including Google, Apple, PayPal, and several EU banks.

There is a grey area — CDN-heavy sites (Amazon, PayPal) trigger ProxyHeaderDetected

via CloudFront. Still working on a neater model for that.

Full writeup: https://bytearchitect.io/network-security/Bypassing-MFA-with-Reverse-Proxies-Building-a-Rust-based-Firefox-Extension-to-Kill-AitM-Phishing/

Submitted to Mozilla Add-ons — pending review. Happy to discuss the detection

model or the Rust/WASM architecture.

Hey! I’m one of the authors of this blog post. We (the GitHub Security Lab) developed an open-source AI-framework that supports security researchers in discovering vulnerabilities. In this blog post we show how it works and talk about the vulnerabilities we were able to find using it.