server and browser security

summarize/paraphrase the following attachment into 2 pages. 1 Topic per page. double space. 

IT SecurityCybersecurity

Server Security – Issues and Best Practices

1

Outline
Intro to Server Security
Need for Server Security
Server Security Fundamentals
Server Security Issues
OWASP Top 10 – A6:2017– Security Misconfiguration
OWASP Top 10 – A10:2017– Insufficient Logging and Monitoring
Attacks against Server Security Mechanisms
Server Security Best Practices
2

Intro to Server Security
3

Intro to Server Security
How does a web application work?
4

Client
Server
Involves servers

Intro to Server Security (contd.)
Server
A server serves as the host for web applications
It refers to the “server” portion of the client-server architecture
It receives the HyperText Transfer Protocol (HTTP) request message from the client machine’s browser
It authenticates the client based on the user-supplied credentials
It authorizes the client’s access to the requested web application after authentication
5

Intro to Server Security (contd.)
Server (continued)
It sends an HTTP response header back to the client machine with the response code 200 for successful requests or the response code 404 for page not found (maybe due to a broken link)
It uses ports to make services available to clients
Common port numbers: 80 for HTTP traffic, 443 for HTTPS traffic, 25 for SMTP traffic, 21 for FTP traffic, 23 for telnet traffic, etc.
Examples:
Apache HTTP Server, Apache Tomcat, Microsoft IIS, IBM WebSphere, Oracle WebLogic, Red Hat JBoss EAP, etc.
6

Intro to Server Security (contd.)
Server Market Share:
7
Source: Web and Application Servers Market Share Report – Datanyze –
https://www.datanyze.com/market-share/web-and-application-servers–425

Intro to Server Security (contd.)
What is a Server? – PowerCert Animated Videos
8
Source: PowerCert Animated Videos – What is a Server? –

Intro to Server Security (contd.)
Server security refers to “the fundamental activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function” (NIST SP 800-123, pg.10)
Server security involves the following (NIST SP 800-44, pg.18):
Installing, configuring, and securing the server Operating System (OS)
Installing, configuring, and securing the server software
Employing appropriate network protection mechanisms
Firewalls, packet filtering routers, proxies, etc.
Ensuring that the hosted web applications are securely coded
Employing secure administration and maintenance processes
Patching and upgrading, testing, monitoring of logs, backing up data and OS
Protecting information and data in a careful/systemic manner
Conducting initial/periodic vulnerability scans of server/network infrastructure
9

Intro to Server Security (contd.)
Server security (by technology):
Apache HTTP Server security settings
NGINX security settings
Internet Information Services (IIS) security settings
LiteSpeed Web Server security settings
OpenResty security settings
Server security (by Operating System)
Ubuntu Linux Server guide
Windows Server security guide
macOS Server Guide
10

Need for Server Security
11

Need for Server Security
As per NIST SP 800-123:
Servers are frequently targeted by attackers because of the value of their data and services
Servers might contain personally identifiable information that could be used to perform identity theft
Most organizations install servers with standard directory names, directory locations, and filenames making it easy for attackers to target those servers
The failure of organizations to fully recognize the amount of expense and skills required to field a secure server often results in overworked employees and insecure systems
12

Need for Server Security (contd.)
As per NIST SP 800-123 (continued):
Default hardware and software configurations are typically set by manufacturers to emphasize features, functions, and ease of use, at the expense of security
The default configuration of the OS often includes guest accounts (with and without passwords), administrator or root level accounts, and accounts associated with local and network services
Because manufacturers are unaware of each organization’s security needs, server administrators need to configure new servers to reflect their organizations’ security requirements and reconfigure them as needed
13

Need for Server Security (contd.)
As per NIST SP 800-44:
Compromised web sites can serve as an entry point for intrusions into many organizations’ internal networks
Organizations can face monetary losses, damage to reputation, or legal action if an intruder successfully violates the confidentiality of their data
Hackers could compromise web server security by:
defacing organizations’ web site or otherwise affecting integrity
executing unauthorized commands on the host OS
launching attacks on external sites from the web server
using the server to deliver attacks against vulnerable clients
using the server to distribute illegally copied software
14

Need for Server Security (contd.)
As per the EdgeScan (2019) Vulnerability Statistics Report, the most common infrastructure vulnerabilities include the following server-related issues:
44.70% – SSL / TLS Version & Configuration Issues
29.53% – SMB Security Issues
8.61% – OpenSSH Vulnerabilities & Configuration Issues
6.25% – Windows Remote Desktop Protocol Server MITM
4.15% – Unencrypted Telnet Services
1.69% – Unsupported & Unpatched Server Detection
15

Need for Server Security (contd.)
As per the EdgeScan (2019) Vulnerability Statistics Report:
33.33% of all high and critical risk vulnerabilities discovered in 2018 were in relation to unsupported Windows Server 2003 systems (no patching, support, end-of-life systems)
7.53% of all high and critical risk vulnerabilities discovered in 2018 related to exposure to NotPetya CVEs (CVE-2017-0144, CVE-2017-0145) – Windows Server Message Block (SMB) Remote Code Execution Vulnerability
Systems using Apache and PHP also contributed to the Top 10 due to weak component security and traditional patch management of exposed systems
16

Need for Server Security (contd.)
Hackers are increasingly using servers to cause data breaches (Privacy Rights Clearinghouse, 2020)
17

Server Security Fundamentals
18

Server Security Fundamentals
What is the Apache HTTP Server? – CBT Nuggets
19
Source: CBT Nuggets – What is the Apache HTTP Server? –

Server Security Fundamentals (contd.)
A basic Apache web server architecture includes the following components (Kew, 2007):
Modules
Multi-Processing Modules (MPM)
Apache Portable Runtime (APR) Libraries
20

Server Security Fundamentals (contd.)
Apache web server architecture:
Modules
Functionality that can be used to do things such as authentication, dynamic content generation, encryption, virus scanning, file compression, email services, file transfer services, etc.
Multi Processing Modules (MPM)
Special module which allows Apache to be configured as a pure process-based server, a pure threaded server, or both
Apache Portable Runtime (APR) Libraries
Provides for platform-specific tuning and optimization
21
Source: Apache – Apache HTTP Server Version 2.4 Documentation –
https://httpd.apache.org/docs/2.4/

Server Security Fundamentals (contd.)
Apache web server security:
Modular architecture
Allows modules to be enabled or disabled to add and remove web server functionality
Only MPM modules can interact directly with the Operating System
Authentication
Modules can authenticate against plain text files and database files including Oracle, MySQL, PostgreSQL, etc.
E.g. mod_auth_basic, mod_auth_digest, mod_auth_form, mod_authn_dbd, etc.
22
Source: Apache – Apache HTTP Server Version 2.4 Documentation –
https://httpd.apache.org/docs/2.4/

Server Security Fundamentals (contd.)
Apache web server security (continued):
Access Control
The mod_access_compat module can restrict access to resources based on IP address or hostname of the client
SSL / TLS
The mod_ssl module provides strong encryption to protect data transmitted between the web server and the client
Proxy
Apache supports both a traditional HTTP proxy and a reverse proxy
Reverse proxy can be used for load balancing
Virtual Hosting Support and XML Security
23
Source: TLDP.org – Apache Overview HOWTO –
https://www.tldp.org/HOWTO/pdf/Apache-Overview-HOWTO

Server Security Fundamentals (contd.)
Apache web server security (continued):
Configuration Settings
Modules come with several directives related to timeouts, resource consumption, request processing, concurrent connections, etc.
Common Gateway Interface (CGI) & Server Side Includes (SSI)
The suEXEC feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs
Logs
The mod_log_config, mod_log_forensic modules can be used to log everything that happens on the server
24
Source: Apache.org – Apache HTTP Server Documentation Version 2.4 –
https://archive.apache.org/dist/httpd/docs/httpd-docs-2.4.33.en

Server Security Issues
25

Server Security Issues
As per NIST SP 800-123 (pg. 7), server security issues include:
26
Source: NIST SP 800-123 – Guide to General Server Security –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123

Server Security Issues (contd.)
As per NIST SP 800-44 (pg. 17-18), other server security issues include the following:
Misconfiguration or other improper operation of the Web server, which may result, for example, in the disclosure or alteration of proprietary or sensitive information. This information can include items such as:
Assets of the organization
Configuration of the server or network that could be exploited for subsequent attacks
Credentials of the users or administrator(s) of the Web server
Inadequate or unavailable defense mechanisms for the Web server to prevent certain classes of attacks, such as DoS attacks, which disrupt the availability of the Web server and prevent authorized users from accessing the Web site when required
27
Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2

Server Security Issues (contd.)
Other server security issues include the following (continued):
Vulnerabilities within the Web server that might allow, for example, attackers to compromise the security of the server and other hosts on the organization’s network by taking actions such as the following:

28
Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2

Server Security Issues (contd.)
OWASP Top 10–A6:2017 – Security Misconfiguration
29
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html

Server Security Issues (contd.)
Common server security vulnerabilities:
30
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html

Server Security Issues (contd.)
OWASP Top 10–A10:2017 – Insufficient Logging & Monitoring
31
Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring –
https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring

Server Security Issues (contd.)
Common server security vulnerabilities:
32
Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring –
https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring

Server Security Attacks
33

Server Security Attacks
Most common server security attacks:

34
Attack Type Description
Denial of Service (DoS) Attacks may be directed to the server or its supporting network infrastructure, denying or hindering valid users from making use of its services.
Attacks may take advantage of the server’s account lockout policy.
Attacks may involve uploading many large files
Attacks take advantage of simultaneous network connections.
Malware Malicious entities may gain unauthorized access to resources elsewhere in the organization’s network via a successful attack on the server

Source: NIST SP 800-123 – Guide to General Server Security –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123

Server Security Attacks (contd.)
Most common server security attacks (continued):

35
Attack Type Description
Man-in-the Middle (MITM) Password information can be intercepted using network sniffers and used by an attacker to masquerade as an authorized user
SYN Flood
If the maximum number of open connections (or connections that are half-open—that is, the first part of the TCP handshake was successful) is set to a low number, an attacker can easily consume the available connections with illegitimate requests (often called a SYN flood)

Source: NIST SP 800-123 – Guide to General Server Security –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123

Server Security Attacks (contd.)
Most common server security attacks (continued):

36
Attack Type Description
Brute Force Attackers try every possible password to attempt to gain access to a user’s account
Command Injection Compromise of sensitive information on backend databases that are used to support a web application
Directory Traversal Unauthorized access including gaining access to files or folders and being able to execute commands and/or install software on the web server
Replay Attack An impostor verifier replays the OTP authenticator output to the verifier and successfully authenticates to the web server (NIST SP 800-63b)

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2

Server Security Attacks (contd.)
Replay Attacks – Professor Messer
37
Source: Replay Attacks – CompTIA Security+ Sy0-401: 3.2 –

Server Security
Best Practices
38

Server Security Best Practices
Best practices for web server security include :
Planning and managing web servers (pg. 33)
Plan the configuration and deployment of the web server
Choose an appropriate Operating System (OS) for the web server
Choose an appropriate platform for the web server
General purpose OS, Trusted OS, web server appliance, virtualized platform, etc.
Securing the web server OS (pg. 41)
Patch and upgrade the OS
Remove or disable unnecessary services and applications
Configure OS user authentication
Configure resource controls appropriately
Install and configure additional security controls
Test the security of the OS
39
Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2

Server Security Best Practices (contd.)
Best practices for web server security include :
Securing the web server (pg. 51)
Securely install the web server
Configure IS and web server access controls
Configure a secure web content directory
Securing web content (pg. 70)
Ensure that sensitive information is not available on the web server
Establish an organizational-wide documented formal policy and process for approving public web content
Maintain Web user privacy
Mitigate indirect attacks on content
Consider client-side active content security
Maintain server-side active content security
40
Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2

Server Security Best Practices (contd.)
Best practices for web server security include :
Using authentication and encryption technologies (pg. 86)
Configure web authentication and encryption technologies
Configure SSL / TLS
Protect against brute force attacks
Implementing a secure network infrastructure (pg. 99)
Identify a network location
Assess firewall configuration
Evaluate intrusion detection and prevention systems
Assess network switches
Evaluate load balancers
Evaluate reverse proxies
41
Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2

Server Security Best Practices (contd.)
Best practices for web server security include :
Administering the web server (pg. 113)
Perform logging
Perform web server backups
Recover from a compromise
Test security
Conduct remote administration and content updates
42
Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2

Server Security Best Practices (contd.)
Use the following server security best practices to protect against security misconfiguration:
43
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration

Server Security Best Practices (contd.)
Use the following server security best practices to protect against insufficient logging and monitoring:
44
Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring –
https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring

Recap
Server security issues continue to be among the OWASP Top 10 list of web application security risks
This is due to weaknesses in server technologies such as authentication, access controls, configuration, connections, encryption, active content, logs, etc.
Hackers are able to exploit the weaknesses using attacks such as DoS, malware, MITM, SYN flood, brute force, command injection, directory traversal, replay attacks, etc.
Best practices to protect servers include planning and managing web servers, securing the web server OS, securing the web server, securing web content, using authentication and encryption technologies, implementing a secure network infrastructure, administering the web server, etc.
45

Thank you!!!
46

Browser Security – Issues and Best Practices

1

Outline
Intro to Browser Security
Need for Browser Security
Browser Security Fundamentals
Browser Security Issues
OWASP Top 10 – A7:2017– Cross-Site Scripting XSS
OWASP Top 10 – A3:2017– Sensitive Data Exposure
Attacks against Browser Security Mechanisms
Browser Security Best Practices
2

Intro to Browser Security
3

Intro to Browser Security
How does a web application work?
4

Client
Server
Involves browsers

Intro to Browser Security (contd.)
Browser
A browser is “an application that finds and displays web pages”.
It coordinates communication between your computer and the web server where a particular website “lives” by:
Accepting a website address as a URL
Submitting a request to the server to retrieve the content for the page
Processing the code (HTML, CSS, JavaScript, etc.) from the server
Loading active content (Flash, ActiveX, etc.) needed by the page
Displaying the complete, formatted web page
Repeating the process for every single user interaction with the page
5
Source: Understanding Your Computer: Web Browsers – U.S. CERT –
https://www.cisa.gov/uscert/ncas/tips/st04-022

Intro to Browser Security (contd.)
Examples:
Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Opera, etc.
Browser Market Share as of February 2022:
6
Source: Global Web Stats – W3Counter–
https://www.w3counter.com/globalstats.php

Intro to Browser Security (contd.)
Browser security refers to “how differences in design and implementation of various security technologies in modern web browsers might affect their security” (X41 Browser Security White Paper, 2017, pg. 8)
Browser security involves the following:
Protection against common client-side attacks
Protection against phishing
Management of browser extensions
Use of adequate cryptography protocols
7
Source: X41 Browser Security White Paper –
https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper

Intro to Browser Security (contd.)
Browser security also involves the following:
Protection against active content
Active content refers to scripts that execute programs within the browser
e.g.: scripts used to create splash pages or options like drop-down menus
JavaScript is widely used to create active content
ActiveX controls reside on your computer and can be used as spyware
Protecting cookies
Cookies store information such as IP address, domain names, browser info, browsing habits, etc.
Both session cookies and persistent cookies must be protected from security attacks by adjusting the browser’s security settings to block or limit access to cookie information
8
Source: U.S. CERT – Browsing Safely: Understanding Active Content and Cookies –
https://www.cisa.gov/uscert/ncas/tips/ST04-012

Intro to Browser Security (contd.)
Browser-specific security features:
Google Chrome security features
Apple Safari security features
Internet Explorer security features
Microsoft Edge security features
Mozilla Firefox security features
Opera security features
9

Intro to Browser Security (contd.)
Your Browser’s Security Features – GCFLearnFree.org
Source: GCFLearnFree.org – Internet Safety: Your Browser’s Security Features –

10

Need for Browser Security
11

Need for Browser Security
As per U.S. CERT (2015):
Browsers such as Firefox, Chrome, Edge, and Safari are installed on almost all computers
Default browsers that come with the Operating Systems are not setup using secure default configurations
Unsecure browsers can lead to spyware being installed on your computers allowing intruders to take control
There is an increasing threat from attacks that take advantage of vulnerable web browsers
Hackers are using compromised or malicious websites to exploit vulnerabilities in browsers
12

Need for Browser Security (contd.)
As per U.S. CERT (2015), the problem is made worse by a number of factors including the following:

13

Need for Browser Security (contd.)
As per the EdgeScan (2019) Vulnerability Statistics Report:
19% of all vulnerabilities were associated with Layer 7 web applications
However, the risk density is much higher for web application vulnerabilities compared to network vulnerabilities
14

Need for Browser Security (contd.)
As per the EdgeScan (2019) Vulnerability Statistics Report, the most common browser-related vulnerabilities are:
Cross-Site Scripting – 14.69%
Other Injection – 8.18%
DOM-based Vulnerability – 1.82%
Cross-Site Request Forgery – 1.75%

15

Need for Browser Security (contd.)
Hackers are increasingly using browsers to cause data breaches (Privacy Rights Clearinghouse, 2020)

16

Need for Browser Security (contd.)
Hackers are increasingly using browsers to cause data breaches (Privacy Rights Clearinghouse, 2020)

17

Browser Security Fundamentals
18

Browser Security Fundamentals
How Web Browsers Function – Open Canvas
Source: OpenCanvas – How Web Browsers Function –

19

Browser Security Fundamentals (contd.)
As per Open Canvas (2016), web browsers use the following architectural components:
User interface
Rendering engine
Browser engine
Networking
JavaScript interpreter
Data storage – cookies, local storage, etc.
20

Browser Security Fundamentals (contd.)
Google Chrome Architecture
Source: Google Chrome Developers – Anatomy of the Browser 101
(Chrome University) –

21

Browser Security Fundamentals (contd.)
Google Chrome Architecture:
Browser Process
Includes the User Interface (UI), networking, and storage
GPU Process
Handles rich web page content built using features like WebGL
Is a separate process to ensure stability and security
Utility Process
Runs untrusted code on behalf of browser in a sandbox
e.g.: installing an extension, processing JSON
Is a short-lived process
Source: Google Chrome Developers – Anatomy of the Browser 101
(Chrome University) –

22

Browser Security Fundamentals (contd.)
Google Chrome Architecture (continued):
Extension Process
Ensures extensions have limited access to browser, page, & system
Stops poorly written extension code from adversely affecting pages
Pepper Plugins
Handles plugin code not controlled by Google (Flash, PDF, etc.)
Uses new plugin API that is sandboxed
Renderer – Blink rendering engine
JavaScript Interpreter – v8 JavaScript engine
Source: Google Chrome Developers – Anatomy of the Browser 101
(Chrome University) –

23

Browser Security Fundamentals (contd.)
Google Chrome Security:
Sandboxing
Limits the impact of many browser vulnerabilities by isolating different components of an application from the rest of the system
Components are run with their access privileges to system resources and/or other components limited to the bare essentials needed to perform its function
Thus, the privileges an attacker can gain by exploiting a security issue in these components is fairly limited
Process and Origin Isolation
Chrome uses Site Isolation to isolate websites with different origins
Source: X41 – Browser Security White Paper –
https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper
24

Browser Security Fundamentals (contd.)
Google Chrome Security:
Hardening and Exploit Mitigation
Supports /GS, ASLR, DEP, no direct win32k syscalls, SEHOP, etc.
Web Security
Same Origin Policy Enforcement
Restricts interaction between websites of different origins
Port Banning Enforcement
Denies connections to non-standard TCP ports
Content Security Policy Enforcement
Limits what sources of scripts are acceptable
HTML5 Features Support
Supports Service Workers, WebRTC, History API, WebGL, Web Notifications, etc.
Source: X41 – Browser Security White Paper –
https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper
25

Browser Security Issues
26

Browser Security Issues
Specific browser security issues include the following:
Client-side JavaScript code for checking user input is not enough
Information sent from the browser can be modified before it reaches the server
Plenty of HTTP/HTTPS proxy tools are available to hackers for this very purpose
Protocols such as SSL that browsers rely on have their own issues
Likewise, attackers can use browser mechanisms such as cache, cookies, session IDs, etc. to steal sensitive information
Java applets are susceptible to Man-in-the-Middle (MITM) attacks
Java servlets may be vulnerable to SQL injection
Source: OWASP – Application Security FAQ –
https://owasp.org/www-community/OWASP_Application_Security_FAQ
27

Browser Security Issues (contd.)
Specific browser security issues include the following:
Browsers pose a unique risk to the enterprise infrastructure because of their frequent exposure to untrusted dynamic content
Configuring browser security settings is challenging due to uncertainty of both attack mitigation effectiveness and impact on end users
Administrator-driven manual patching often incurs significant lag time before patches are deployed
Administrators are often hesitant to enable automatic updating out of fear that patches will break existing functionality
88% of publicly disclosed vulnerabilities exploited within a day of release
Browser plugins accounted for 34.5% of browser-related vulnerabilities
Source: NSA.gov – Steps to Secure Web Browsing –
https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-steps-to-secure-web-browsing
28

Browser Security Issues (contd.)
OWASP Top 10 – A7:2017 – Cross-Site Scripting XSS
Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS –
https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

29

Browser Security Issues (contd.)
Common browser security vulnerabilities:
Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS –
https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
30

Browser Security Issues (contd.)
Cross-Site Scripting – XSS – Professor Messer
Source: Cross-Site Scripting – XSS – CompTIA Security+ Sy0-501 – 1.2 –

31

Browser Security Issues (contd.)
OWASP Top 10 – A3:2017–Sensitive Data Exposure
Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –
https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure

32

Browser Security Issues (contd.)
Common browser security vulnerabilities:
Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –
https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure
33

Browser Security Attacks
34

Browser Security Attacks
Most common browser security attacks:

Source: OWASP – Attacks –
https://owasp.org/www-community/attacks/
Attack Type Description
Cache Poisoning
A maliciously constructed response is cached by the browser
Clickjacking The attacker hijacks clicks meant for their own page and routes them to another page
Cross-Site Request Forgery (CSRF) An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated
Cross-Site Scripting (XSS) A type of injection in which malicious scripts are injected into otherwise benign and trusted websites

35

Browser Security Attacks (contd.)
Most common browser security attacks (continued):

Attack Type Description
Man-in-the-Browser A previously installed Trojan horse is used to act between the browser and the browser’s security mechanism, sniffing or modifying transactions as they are formed on the browser, but still displaying back the user’s intended transaction
Session Hijacking An attack that compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server
Spyware A program that captures statistical information from a user’s computer and sends it over internet without user acceptance. This information is usually obtained from cookies and the web browser’s history.

Source: OWASP – Attacks –
https://owasp.org/www-community/attacks/
36

Browser Security
Best Practices
37

Browser Security Best Practices
Best practices for web browser security include :
Setting up browsers to Auto Update
Disabling malicious browser plugins such as Adware
Connecting to websites only using HTTPS
Clearing the browser history including cookies
Disabling the browser’s auto-complete of forms (including stored passwords) functionality
Blocking browser pop-ups using extensions such as AdBlock
Using VPN or proxy servers
Source: InfoSec Institute – Best Practices for Web Browser Security –
https://resources.infosecinstitute.com/best-practices-web-browser-security/
38

Browser Security Best Practices (contd.)
Best practices for web browser security include :
Enabling automatic updates
Mitigates 91% of publicly known vulnerabilities
Enabling reputation services such as Google Safe Browsing or Microsoft SmartScreen
Prevents 87.7% of socially engineered malware and phishing attempts
Disable unsafe plugins and extensions
Use advanced mitigation techniques/tools
Browser isolation, Cloud Browsers, O/S level mitigations, etc.
Source: NSA.gov – Steps to Secure Web Browsing –
https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-steps-to-secure-web-browsing
39

Browser Security Best Practices (contd.)
Use the following best practices to protect against XSS:
Source: OWASP Top 10 2017 A7-Cross Site Scripting XSS –
https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS).html
40

Recap
Browser security issues continue to be among the OWASP Top 10 list of web application security risks
This is due to weaknesses in browser mechanisms such as browser processes, renderers, plugins, extensions, etc.
Hackers are able to exploit the weaknesses using attacks such as cache poisoning, clickjacking, CSRF, XSS, MITM, session hijacking, spyware, etc.
Best practices to protect browsers include using auto update, HTTPS, pop-up blockers, VPNs or proxy servers, reputation services, sandboxing, isolation, hardening, same origin policy, port banning, content security policy, cloud browsers, etc.
41

Thank you!!!
42