Google recently released a Browser Security Handbook, a key security reference for browser engineers, developers and security professionals.
Michal Zalewski, a developer at Google, states in the handbook's introduction:
"Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities."
The handbook covers the major browsers and versions, including: IE 6 and 7, Firefox 2 and 3, Safari, Opera, Chrome and Android. Google split the handbook into three parts:
Part 1: Basic concepts behind Web browsers
This first part discusses core concepts such as what a URL is, how to form proper HTML, what a document object model is, how to use cascading style sheets, and browser-side Java scripting.
Part 2: Standard browser security features
This part concentrates on security features such as how cookies interact with browsers, Flash, Google Gears, cross-site scripting, mashups and content handling.
Part 3: Experimental and legacy security measures
This final part deals with authentication, password managers, frame restrictions and filtering, security zones and browser engineering issues.
It's no wonder hackers target browsers; they are one of the weakest links we humans interact with online. What I found most useful about this handbook is the breakdown of how different each browser is and how security is implemented across each platform. This is a must-have for every security professional.