Browser Security

  • The web browser is claimed as the most important piece of software so far this century. 
  • It is the "client" of the server-client model, the HTTP protocol, and the general security concepts of the web computing.
  • It is the software that we use to conduct our daily Internet lifefrom maintaining our social networks to online ticketing, online shopping and banking.
  • It is also the interface we use to browse sites after sites and gain access the most sensitive data and conduct the most sensitive operations.
  • It is browser's core function to execute the supplied commands from the server risk failing to render the page properly.
  • The web browser is almost everywhere in the network, from the user network zones, to your guest zones, to even the internal secure DMZ zones.
  • The interaction between the web browser and the web server is the rich attack surface. Firewalls have effectively reduced network traffic down to port 80 and 443, which means web browsers and web server.
  • Based on data collected in the second half of 2012 from a billion Windows computers in more than 100 countries, browser attacks became the greatest threat to enterprise networks, surpassing Conficker, a computer worm that infected more computers than any other since 2003's Welchia. (Microsoft Security Intelligence Report)

Components of Browser in Action

  • Same Origin Policy (SOP): restricts resources from one origin interacting with other origins.
  • Cross-origin Resource sharing (CORS): specification that provides a method (e.e., XMLHttpRequest) for an origin to ignore the SOP.
  • HTTP headers: requests and responses
  • Markup languages: HTML, XML, etc.
  • Presentation rules: CSS
  • Scripting languages: JavaScript
  • Document Object Model (DOM): a method for scripting languages to interact with the rendering engine by providing references to
    HTML elements in the form of objects.
  • Rendering engines: Trident in IE, Gecko in Firefox, Blink in Chrome
  • Geolocation APIs: provides mobile devices and desktops access to the geographical location of the web browser.
  • Web storage: open storage created by JavaScript, not HTTP headers.
  • WebSocket: communication channel between the web browser and the server
  • Web workers: background in HTML5
  • History stacks: manipulated (deleted, forwarded, backwarded) by HTML5
  • Web Real-Time Communication (WebRTC) API: browser intercommunications through HTML5 and JavaScript.

Browser's Core Security Problems

  • Increased attack surface:
    • Automatic and silent browser updates would create more attack surface without the defenders knowledge.
    • Browser extensions and plug-ins would inevitably add a place a hacker can target, thereby increasing the attack surface of the browser.
    • HTML5 increases in attack surface through providing more methods than the previous HTML4 generation.
      • HTML5 Security (OWASP)
      • HTML5 opens door to broader attacks (McFee)
  • Insecure external scripts: Modern web pages include numerous resources and scripts (e.g., JavaScript, marshup, images, etc.) from other origins.
  • Camouflaged cryptography: Cryptography (e.g., SSL and TLSI) used to exchange data can also be used to hide the attacker's payloads securely.
  • Same Origin Policy: Inconsistent SOP implementation creates security problems.