BrowserSecurity1-IssuesandBestPractices.pptx

    Bowser Security – Issues and Best Prarctices

    ITC 766-899

    WEB APPLICATION SECURITY

    Spring 2022

    1

    Outline

    Intro to Browser Security

    Need for Browser Security

    Browser Security Fundamentals

    Browser Security Issues

    OWASP Top 10 – A7:2017– Cross-Site Scripting XSS

    OWASP Top 10 – A3:2017– Sensitive Data Exposure

    Attacks against Browser Security Mechanisms

    Browser Security Best Practices

    2

    Intro to Browser Security

    3

    Intro to Browser Security

    How does a web application work?

    Client

    Server

    Involves browsers

    4

    Browser

    A browser is “an application that finds and displays web pages”.

    It coordinates communication between your computer and the web server where a particular website “lives” by:

    Accepting a website address as a URL

    Submitting a request to the server to retrieve the content for the page

    Processing the code (HTML, CSS, JavaScript, etc.) from the server

    Loading active content (Flash, ActiveX, etc.) needed by the page

    Displaying the complete, formatted web page

    Repeating the process for every single user interaction with the page

    Source: Understanding Your Computer: Web Browsers – U.S. CERT –

    Intro to Browser Security (contd.)

    5

    Examples:

    Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Opera, etc.

    Browser Market Share as of February 2022:

    Intro to Browser Security (contd.)

    Source: Global Web Stats – W3Counter–

    6

    Browser security refers to “how differences in design and implementation of various security technologies in modern web browsers might affect their security” ()

    Browser security involves the following:

    Protection against common client-side attacks

    Protection against phishing

    Management of browser extensions

    Use of adequate cryptography protocols

    Intro to Browser Security (contd.)

    Source: X41 Browser Security White Paper –

    7

    Browser security also involves the following:

    Protection against active content

    Active content refers to scripts that execute programs within the browser

    e.g.: scripts used to create splash pages or options like drop-down menus

    JavaScript is widely used to create active content

    ActiveX controls reside on your computer and can be used as spyware

    Protecting cookies

    Cookies store information such as IP address, domain names, browser info, browsing habits, etc.

    Both session cookies and persistent cookies must be protected from security attacks by adjusting the browser’s to block or limit access to cookie information

    Intro to Browser Security (contd.)

    Source: U.S. CERT – Browsing Safely: Understanding Active Content and Cookies –

    8

    Browser-specific security features:

    security features

    security features

    security features

    security features

    security features

    security features

    Intro to Browser Security (contd.)

    9

    Your Browser’s Security Features – GCFLearnFree.org

    Intro to Browser Security (contd.)

    Source: GCFLearnFree.org – Internet Safety: Your Browser’s Security Features –

    10

    Need for Browser Security

    11

    As per :

    Browsers such as Firefox, Chrome, Edge, and Safari are installed on almost all computers

    Default browsers that come with the Operating Systems are not setup using secure default configurations

    Unsecure browsers can lead to spyware being installed on your computers allowing intruders to take control

    There is an increasing threat from attacks that take advantage of vulnerable web browsers

    Hackers are using compromised or malicious websites to exploit vulnerabilities in browsers

    Need for Browser Security

    12

    As per , the problem is made worse by a number of factors including the following:

    Need for Browser Security (contd.)

    13

    As per the Vulnerability Statistics Report:

    Need for Browser Security (contd.)

    19% of all vulnerabilities were associated with Layer 7 web applications

    However, the risk density is much higher for web application vulnerabilities compared to network vulnerabilities

    14

    As per the Vulnerability Statistics Report, the most common browser-related vulnerabilities are:

    Cross-Site Scripting – 14.69%

    Other Injection – 8.18%

    DOM-based Vulnerability – 1.82%

    Cross-Site Request Forgery – 1.75%

    Need for Browser Security (contd.)

    15

    Hackers are increasingly using browsers to cause data breaches ()

    Need for Browser Security (contd.)

    16

    Hackers are increasingly using browsers to cause data breaches ()

    Need for Browser Security (contd.)

    17

    Browser Security Fundamentals

    18

    How Web Browsers Function – Open Canvas

    Browser Security Fundamentals

    Source: OpenCanvas – How Web Browsers Function –

    19

    As per , web browsers use the following architectural components:

    User interface

    Rendering engine

    Browser engine

    Networking

    JavaScript interpreter

    Data storage – cookies, local storage, etc.

    Browser Security Fundamentals (contd.)

    20

    Google Chrome Architecture

    Browser Security Fundamentals (contd.)

    Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) –

    21

    Google Chrome Architecture:

    Browser Process

    Includes the User Interface (UI), networking, and storage

    GPU Process

    Handles rich web page content built using features like WebGL

    Is a separate process to ensure stability and security

    Utility Process

    Runs untrusted code on behalf of browser in a sandbox

    e.g.: installing an extension, processing JSON

    Is a short-lived process

    Browser Security Fundamentals (contd.)

    Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) –

    22

    Google Chrome Architecture (continued):

    Process

    Ensures extensions have limited access to browser, page, & system

    Stops poorly written extension code from adversely affecting pages

    Handles plugin code not controlled by Google (Flash, PDF, etc.)

    Uses new plugin API that is sandboxed

    Renderer – rendering engine

    JavaScript Interpreter – JavaScript engine

    Browser Security Fundamentals (contd.)

    Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) –

    23

    Google Chrome Security:

    Sandboxing

    Limits the impact of many browser vulnerabilities by isolating different components of an application from the rest of the system

    Components are run with their access privileges to system resources and/or other components limited to the bare essentials needed to perform its function

    Thus, the privileges an attacker can gain by exploiting a security issue in these components is fairly limited

    Process and Origin Isolation

    Chrome uses Site Isolation to isolate websites with different origins

    Browser Security Fundamentals (contd.)

    Source: X41 – Browser Security White Paper –

    24

    Google Chrome Security:

    Hardening and Exploit Mitigation

    Supports /GS, ASLR, DEP, no direct win32k syscalls, SEHOP, etc.

    Web Security

    Same Origin Policy Enforcement

    Restricts interaction between websites of different origins

    Port Banning Enforcement

    Denies connections to non-standard TCP ports

    Content Security Policy Enforcement

    Limits what sources of scripts are acceptable

    HTML5 Features Support

    Supports Service Workers, WebRTC, History API, WebGL, Web Notifications, etc.

    Browser Security Fundamentals (contd.)

    Source: X41 – Browser Security White Paper –

    25

    Browser Security Issues

    26

    Specific browser security issues include the following:

    Client-side JavaScript code for checking user input is not enough

    Information sent from the browser can be modified before it reaches the server

    Plenty of HTTP/HTTPS proxy tools are available to hackers for this very purpose

    Protocols such as SSL that browsers rely on have their own issues

    Likewise, attackers can use browser mechanisms such as cache, cookies, session IDs, etc. to steal sensitive information

    Java applets are susceptible to Man-in-the-Middle (MITM) attacks

    Java servlets may be vulnerable to SQL injection

    Browser Security Issues

    Source: OWASP – Application Security FAQ –

    27

    Specific browser security issues include the following:

    Browsers pose a unique risk to the enterprise infrastructure because of their frequent exposure to untrusted dynamic content

    Configuring browser security settings is challenging due to uncertainty of both attack mitigation effectiveness and impact on end users

    Administrator-driven manual patching often incurs significant lag time before patches are deployed

    Administrators are often hesitant to enable automatic updating out of fear that patches will break existing functionality

    88% of publicly disclosed vulnerabilities exploited within a day of release

    Browser plugins accounted for 34.5% of browser-related vulnerabilities

    Browser Security Issues (contd.)

    Source: NSA.gov – Steps to Secure Web Browsing –

    28

    OWASP Top 10 – A7:2017 – Cross-Site Scripting XSS

    Browser Security Issues (contd.)

    Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS –

    29

    Common browser security vulnerabilities:

    Browser Security Issues (contd.)

    Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS –

    30

    Cross-Site Scripting – XSS – Professor Messer

    Browser Security Issues (contd.)

    Source: Cross-Site Scripting – XSS – CompTIA Security+ Sy0-501 – 1.2 –

    31

    OWASP Top 10 – A3:2017–Sensitive Data Exposure

    Browser Security Issues (contd.)

    Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –

    32

    Common browser security vulnerabilities:

    Browser Security Issues (contd.)

    Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –

    33

    Browser Security Attacks

    34

    Most common browser security attacks:

    Browser Security Attacks

    Source: OWASP – Attacks –

    Attack Type Description
    Cache Poisoning A maliciously constructed response is cached by the browser
    Clickjacking The attacker hijacks clicks meant for their own page and routes them to another page
    Cross-Site Request Forgery (CSRF) An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated
    Cross-Site Scripting (XSS) A type of injection in which malicious scripts are injected into otherwise benign and trusted websites

    35

    Most common browser security attacks (continued):

    Browser Security Attacks (contd.)

    Attack Type Description
    Man-in-the-Browser A previously installed Trojan horse is used to act between the browser and the browser’s security mechanism, sniffing or modifying transactions as they are formed on the browser, but still displaying back the user’s intended transaction
    Session Hijacking An attack that compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server
    Spyware A program that captures statistical information from a user’s computer and sends it over internet without user acceptance. This information is usually obtained from cookies and the web browser’s history.

    Source: OWASP – Attacks –

    36

    Browser Security Best Practices

    37

    Browser Security Best Practices

    Best practices for web browser security include :

    Setting up browsers to Auto Update

    Disabling malicious browser plugins such as Adware

    Connecting to websites only using HTTPS

    Clearing the browser history including cookies

    Disabling the browser’s auto-complete of forms (including stored passwords) functionality

    Blocking browser pop-ups using extensions such as AdBlock

    Using VPN or proxy servers

    Source: InfoSec Institute – Best Practices for Web Browser Security –

    38

    Browser Security Best Practices (contd.)

    Best practices for web browser security include :

    Enabling automatic updates

    Mitigates 91% of publicly known vulnerabilities

    Enabling reputation services such as or

    Prevents 87.7% of socially engineered malware and phishing attempts

    Disable unsafe plugins and extensions

    Use advanced mitigation techniques/tools

    Browser isolation, Cloud Browsers, O/S level mitigations, etc.

    Source: NSA.gov – Steps to Secure Web Browsing –

    39

    Use the following best practices to protect against XSS:

    Browser Security Best Practices (contd.)

    Source: OWASP Top 10 2017 A7-Cross Site Scripting XSS –

    40

    Browser security issues continue to be among the OWASP Top 10 list of web application security risks

    This is due to weaknesses in browser mechanisms such as browser processes, renderers, plugins, extensions, etc.

    Hackers are able to exploit the weaknesses using attacks such as cache poisoning, clickjacking, CSRF, XSS, MITM, session hijacking, spyware, etc.

    Best practices to protect browsers include using auto update, HTTPS, pop-up blockers, VPNs or proxy servers, reputation services, sandboxing, isolation, hardening, same origin policy, port banning, content security policy, cloud browsers, etc.

    Recap

    41

    Thank you!!!

    42

                                                                                                                                      Order Now