Google Releases Browser Security Handbook


Google recently released a Browser Security Handbook, a key security reference for browser engineers, developers and security professionals.


Michal Zalewski, a developer at Google, states in the handbook's introduction:

"Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities."

The handbook covers the major browsers and versions, including: IE 6 and 7, Firefox 2 and 3, Safari, Opera, Chrome and Android. Google split the handbook into three parts:


Part 1: Basic concepts behind Web browsers


This first part discusses core concepts such as what a URL is, how to form proper HTML, what a document object model is, how to use cascading style sheets, and browser-side Java scripting.


Part 2: Standard browser security features


This part concentrates on security features such as how cookies interact with browsers, Flash, Google Gears, cross-site scripting, mashups and content handling.


Part 3: Experimental and legacy security measures


This final part deals with authentication, password managers, frame restrictions and filtering, security zones and browser engineering issues.


It's no wonder hackers target browsers; they are one of the weakest links we humans interact with online. What I found most useful about this handbook is the breakdown of how different each browser is and how security is implemented across each platform. This is a must-have for every security professional.