Web browsers are the primary target for many attackers because so much sensitive data passes through them. From casual shopping to enterprise management systems to military operations, browsers have become the primary vehicle people use to access network-connected systems. Unfortunately, browsers have a long and storied history of vulnerabilities that have provided attackers with a lucrative and near-endless supply of victims upon which to prey. Here are the most common web browser security vulnerabilities to watch out for:
- Code Execution Exploits in the Browser
- Code Execution Exploits in Plug-ins
- Advanced Persistent Threats
- Man-in-the-Middle Attacks
- DNS Poisoning
- SQL Injection
- Cross-Site Scripting
- Broken Authentication and Session Management
Code Execution Exploits in the Browser
How to avoid: Turn on automatic updates in your browser of choice. This type of vulnerability is usually quickly patched by the browser or OS vendor, so attackers have a very short window in which to use it against fully updated systems.
Code Execution Exploits in Plug-ins
Plug-ins are probably the most well-known vector for drive-by downloads (attacks that silently download and run native code on your system). From Flash to Java, even plug-ins from large, reputable vendors have repeatedly had vulnerabilities used in malware attacks. Like browser exploits, vendors usually patch vulnerabilities of this type in short order, but outdated copies of browser plug-ins far outnumber the updated ones.
How to avoid: Keep your plug-ins updated and uninstall plug-ins and extensions that you don’t use. Browsers are getting better at warning users about outdated plug-ins, so don’t ignore the warnings.
Advanced Persistent Threats
Advanced persistent threats (APTs) quietly install malicious code on an endpoint and then steal data (keystrokes, screenshots, browser activity) or even modify what the user sees in their browser, sometimes going undetected for years. These attacks use a myriad of methods to get users to install them, many not related to the browser—for example, via an infected thumb drive or a hostile email attachment. But since so many sensitive interactions occur via the browser, most of these types of attacks put a high priority on stealing data from the browser.
Ways to avoid: Install a good antivirus product, and don’t pick up random thumb drives, open suspicious email attachments, or visit spam-filled sites on your work computer. Also, avoid public Wi-Fi networks as much as possible, as attackers can sometimes access machines through these.
An attacker who has access to any point in a network connection between a user and sensitive websites (a “man in the middle”) has the opportunity to observe and modify traffic as it passes between the browser and web servers. Websites that use TLS (sites whose addresses start with “https”) help defeat this, because an attacker of this type has a very hard time faking the cryptographic certificate used by the server to authenticate itself to the browser. However, attackers know that a lot of users have been conditioned to just click through warnings when they appear, and so they can use an invalid/forged certificate and in many cases, users will ignore the browser’s warnings.
Ways to avoid: Don’t ignore browser warnings. When in doubt, try a different machine or internet connection, or just wait to conduct your sensitive transaction later. Businesses should install an SSL certificate on their website to protect users.
Attackers can poison the DNS system (think of this as a contact list your browser uses to locate a site’s IP address by its name) at several different stops. Your machine caches DNS entries, and attackers can poison this cache. A special file on your machine can be modified to override DNS servers for certain web addresses, and malicious actors can even compromise DNS servers themselves and force them to serve up bad IP addresses for reputable sites. Once the attack is in place, your browser will contact an attacker’s server instead of the legitimate server for any targeted website. Attacks like this typically target banks and other financial institutions, fooling users long enough for them to give up account credentials, which are then used to empty their accounts.
Ways to avoid: Always look for “https” at the beginning of the site’s address when visiting a sensitive website to do financial transactions, and (again) don’t ignore browser warnings. Attackers who have poisoned your DNS lookups still can’t forge the certificates used for TLS, so in many cases, they’ll use a non-TLS (“http://…”) address and hope users don’t notice.
SQL injections have been a known problem for over 10 years, with The Open Web Application Security Project (OWASP) keeping it towards the top of its Top 10 threats list. Using an SQL injection, attackers can add SQL commands to a website in order to access and edit data on the server. Attackers can use web forms, cookies, or HTTP posts to inject their malicious code into the browser. The goal of these types of attacks is typically to steal, delete, or manipulate the data that businesses store on their servers, including customer names, social security numbers, and payment information.
How to avoid: Businesses should protect their websites with careful coding techniques, including sanitizing and filtering user-supplied data and limiting the functions that SQL commands can have. Additionally, web application firewalls can protect businesses from SQL injections introduced via third-party vendors.
Like SQL injections, cross-site scripting (XSS) attacks use injections to send malicious code to other users. The receiver’s browser thinks the code is legitimate since it comes from a trusted source and will execute the script, giving the attacker access to cookies and other sensitive information the browser has retained for use on that site. The bad actor can then use this information to impersonate the victim or steal their login credentials. The script can also sometimes rewrite the content of HTML pages, which may cause users to click on more malicious links. Sites that accept user-generated content are the most vulnerable to these types of attacks.
How to avoid: The prevention methods for XSS closely follow those to avoid SQL injections: filter and limit user submissions as much as possible to prevent malicious code. Additionally, you can encode the output of HTTP responses to keep the browser from interpreting it as active content and executing the code.
Broken Authentication and Session Management
When a user logs into a website, they get a unique session ID, which the website then continuously transmits between the user’s device and the server. If this session ID doesn’t have the proper encryption, an attacker can intercept the ID and hijack the session for their own purposes. Users operating on public or unprotected Wi-Fi are especially vulnerable to this. Attackers can also use a brute force attack like they would to guess someone’s password. These brute force attempts become easier if the attacker has already intercepted several session IDs.
How to avoid: Businesses can install SSL certificates on their websites to encrypt the information that protects their users’ browsing sessions and login credentials. Additionally, users should only connect from protected, private connections, avoiding public Wi-Fi whenever possible.
Protect Your Browser, Protect Your Business
Human error is one of the biggest factors in organizational data breaches, and with all the vulnerabilities that browsers have, it’s easy for employees to fall victim to attacks. To protect the business, organizations need to train their users on the vulnerabilities they face from their browser and make sure they only connect from private WiFi connections. Additionally, businesses should install web application firewalls on their machines and limit and filter user-generated content whenever possible. With these precautions in place, businesses are less likely to fall victim to browser-initiated attacks.
Jenn Fulmer updated this article on Jan 12, 2022. Jenn is a content writer for TechnologyAdvice, IT Business Edge, and eSecurity Planet currently based in Lexington, KY. Using detailed, research-based content, she aims to help businesses find the technology they need to maximize their success and protect their data.