Browser Security – Issues and Best Practices
1
Outline
Intro to Browser Security
Need for Browser Security
Browser Security Fundamentals
Browser Security Issues
OWASP Top 10 – A7:2017– Cross-Site Scripting XSS
OWASP Top 10 – A3:2017– Sensitive Data Exposure
Attacks against Browser Security Mechanisms
Browser Security Best Practices
2
Intro to Browser Security
3
Intro to Browser Security
How does a web application work?
4
Client
Server
Involves browsers
Intro to Browser Security (contd.)
Browser
A browser is “an application that finds and displays web pages”.
It coordinates communication between your computer and the web server where a particular website “lives” by:
Accepting a website address as a URL
Submitting a request to the server to retrieve the content for the page
Processing the code (HTML, CSS, JavaScript, etc.) from the server
Loading active content (Flash, ActiveX, etc.) needed by the page
Displaying the complete, formatted web page
Repeating the process for every single user interaction with the page
5
Source: Understanding Your Computer: Web Browsers – U.S. CERT –
Intro to Browser Security (contd.)
Examples:
Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Opera, etc.
Browser Market Share as of February 2022:
6
Source: Global Web Stats – W3Counter–
Intro to Browser Security (contd.)
Browser security refers to “how differences in design and implementation of various security technologies in modern web browsers might affect their security” ()
Browser security involves the following:
Protection against common client-side attacks
Protection against phishing
Management of browser extensions
Use of adequate cryptography protocols
7
Source: X41 Browser Security White Paper –
Intro to Browser Security (contd.)
Browser security also involves the following:
Protection against active content
Active content refers to scripts that execute programs within the browser
e.g.: scripts used to create splash pages or options like drop-down menus
JavaScript is widely used to create active content
ActiveX controls reside on your computer and can be used as spyware
Protecting cookies
Cookies store information such as IP address, domain names, browser info, browsing habits, etc.
Both session cookies and persistent cookies must be protected from security attacks by adjusting the browser’s to block or limit access to cookie information
8
Source: U.S. CERT – Browsing Safely: Understanding Active Content and Cookies –
Intro to Browser Security (contd.)
Browser-specific security features:
security features
security features
security features
security features
security features
security features
9
Intro to Browser Security (contd.)
Your Browser’s Security Features – GCFLearnFree.org
Source: GCFLearnFree.org – Internet Safety: Your Browser’s Security Features –
10
Need for Browser Security
11
Need for Browser Security
As per :
Browsers such as Firefox, Chrome, Edge, and Safari are installed on almost all computers
Default browsers that come with the Operating Systems are not setup using secure default configurations
Unsecure browsers can lead to spyware being installed on your computers allowing intruders to take control
There is an increasing threat from attacks that take advantage of vulnerable web browsers
Hackers are using compromised or malicious websites to exploit vulnerabilities in browsers
12
Need for Browser Security (contd.)
As per , the problem is made worse by a number of factors including the following:
13
Need for Browser Security (contd.)
As per the Vulnerability Statistics Report:
19% of all vulnerabilities were associated with Layer 7 web applications
However, the risk density is much higher for web application vulnerabilities compared to network vulnerabilities
14
Need for Browser Security (contd.)
As per the Vulnerability Statistics Report, the most common browser-related vulnerabilities are:
Cross-Site Scripting – 14.69%
Other Injection – 8.18%
DOM-based Vulnerability – 1.82%
Cross-Site Request Forgery – 1.75%
15
Need for Browser Security (contd.)
Hackers are increasingly using browsers to cause data breaches ()
16
Need for Browser Security (contd.)
Hackers are increasingly using browsers to cause data breaches ()
17
Browser Security Fundamentals
18
Browser Security Fundamentals
How Web Browsers Function – Open Canvas
Source: OpenCanvas – How Web Browsers Function –
19
Browser Security Fundamentals (contd.)
As per , web browsers use the following architectural components:
User interface
Rendering engine
Browser engine
Networking
JavaScript interpreter
Data storage – cookies, local storage, etc.
20
Browser Security Fundamentals (contd.)
Google Chrome Architecture
Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) –
21
Browser Security Fundamentals (contd.)
Google Chrome Architecture:
Browser Process
Includes the User Interface (UI), networking, and storage
GPU Process
Handles rich web page content built using features like WebGL
Is a separate process to ensure stability and security
Utility Process
Runs untrusted code on behalf of browser in a sandbox
e.g.: installing an extension, processing JSON
Is a short-lived process
Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) –
22
Browser Security Fundamentals (contd.)
Google Chrome Architecture (continued):
Process
Ensures extensions have limited access to browser, page, & system
Stops poorly written extension code from adversely affecting pages
Handles plugin code not controlled by Google (Flash, PDF, etc.)
Uses new plugin API that is sandboxed
Renderer – rendering engine
JavaScript Interpreter – JavaScript engine
Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) –
23
Browser Security Fundamentals (contd.)
Google Chrome Security:
Sandboxing
Limits the impact of many browser vulnerabilities by isolating different components of an application from the rest of the system
Components are run with their access privileges to system resources and/or other components limited to the bare essentials needed to perform its function
Thus, the privileges an attacker can gain by exploiting a security issue in these components is fairly limited
Process and Origin Isolation
Chrome uses Site Isolation to isolate websites with different origins
Source: X41 – Browser Security White Paper –
24
Browser Security Fundamentals (contd.)
Google Chrome Security:
Hardening and Exploit Mitigation
Supports /GS, ASLR, DEP, no direct win32k syscalls, SEHOP, etc.
Web Security
Same Origin Policy Enforcement
Restricts interaction between websites of different origins
Port Banning Enforcement
Denies connections to non-standard TCP ports
Content Security Policy Enforcement
Limits what sources of scripts are acceptable
HTML5 Features Support
Supports Service Workers, WebRTC, History API, WebGL, Web Notifications, etc.
Source: X41 – Browser Security White Paper –
25
Browser Security Issues
26
Browser Security Issues
Specific browser security issues include the following:
Client-side JavaScript code for checking user input is not enough
Information sent from the browser can be modified before it reaches the server
Plenty of HTTP/HTTPS proxy tools are available to hackers for this very purpose
Protocols such as SSL that browsers rely on have their own issues
Likewise, attackers can use browser mechanisms such as cache, cookies, session IDs, etc. to steal sensitive information
Java applets are susceptible to Man-in-the-Middle (MITM) attacks
Java servlets may be vulnerable to SQL injection
Source: OWASP – Application Security FAQ –
27
Browser Security Issues (contd.)
Specific browser security issues include the following:
Browsers pose a unique risk to the enterprise infrastructure because of their frequent exposure to untrusted dynamic content
Configuring browser security settings is challenging due to uncertainty of both attack mitigation effectiveness and impact on end users
Administrator-driven manual patching often incurs significant lag time before patches are deployed
Administrators are often hesitant to enable automatic updating out of fear that patches will break existing functionality
88% of publicly disclosed vulnerabilities exploited within a day of release
Browser plugins accounted for 34.5% of browser-related vulnerabilities
Source: NSA.gov – Steps to Secure Web Browsing –
28
Browser Security Issues (contd.)
OWASP Top 10 – A7:2017 – Cross-Site Scripting XSS
Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS –
29
Browser Security Issues (contd.)
Common browser security vulnerabilities:
Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS –
30
Browser Security Issues (contd.)
Cross-Site Scripting – XSS – Professor Messer
Source: Cross-Site Scripting – XSS – CompTIA Security+ Sy0-501 – 1.2 –
31
Browser Security Issues (contd.)
OWASP Top 10 – A3:2017–Sensitive Data Exposure
Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –
32
Browser Security Issues (contd.)
Common browser security vulnerabilities:
Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –
33
Browser Security Attacks
34
Browser Security Attacks
Most common browser security attacks:
Source: OWASP – Attacks –
Attack Type | Description |
Cache Poisoning | A maliciously constructed response is cached by the browser |
Clickjacking | The attacker hijacks clicks meant for their own page and routes them to another page |
Cross-Site Request Forgery (CSRF) | An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated |
Cross-Site Scripting (XSS) | A type of injection in which malicious scripts are injected into otherwise benign and trusted websites |
35
Browser Security Attacks (contd.)
Most common browser security attacks (continued):
Attack Type | Description |
Man-in-the-Browser | A previously installed Trojan horse is used to act between the browser and the browser’s security mechanism, sniffing or modifying transactions as they are formed on the browser, but still displaying back the user’s intended transaction |
Session Hijacking | An attack that compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server |
Spyware | A program that captures statistical information from a user’s computer and sends it over internet without user acceptance. This information is usually obtained from cookies and the web browser’s history. |
Source: OWASP – Attacks –
36
Browser Security Best Practices
37
Browser Security Best Practices
Best practices for web browser security include :
Setting up browsers to Auto Update
Disabling malicious browser plugins such as Adware
Connecting to websites only using HTTPS
Clearing the browser history including cookies
Disabling the browser’s auto-complete of forms (including stored passwords) functionality
Blocking browser pop-ups using extensions such as AdBlock
Using VPN or proxy servers
Source: InfoSec Institute – Best Practices for Web Browser Security –
38
Browser Security Best Practices (contd.)
Best practices for web browser security include :
Enabling automatic updates
Mitigates 91% of publicly known vulnerabilities
Enabling reputation services such as or
Prevents 87.7% of socially engineered malware and phishing attempts
Disable unsafe plugins and extensions
Use advanced mitigation techniques/tools
Browser isolation, Cloud Browsers, O/S level mitigations, etc.
Source: NSA.gov – Steps to Secure Web Browsing –
39
Browser Security Best Practices (contd.)
Use the following best practices to protect against XSS:
Source: OWASP Top 10 2017 A7-Cross Site Scripting XSS –
40
Recap
Browser security issues continue to be among the OWASP Top 10 list of web application security risks
This is due to weaknesses in browser mechanisms such as browser processes, renderers, plugins, extensions, etc.
Hackers are able to exploit the weaknesses using attacks such as cache poisoning, clickjacking, CSRF, XSS, MITM, session hijacking, spyware, etc.
Best practices to protect browsers include using auto update, HTTPS, pop-up blockers, VPNs or proxy servers, reputation services, sandboxing, isolation, hardening, same origin policy, port banning, content security policy, cloud browsers, etc.
41
Thank you!!!
42