Every enterprise employee has a web browser on their computer. Because it's a ubiquitous application, malicious hackers have crafted several types of browser attacks. Users and security teams should be aware of these approaches and know how to work together to prevent them.
The following five browser attacks -- cross-site scripting (XSS), malicious extensions, session hijacking, DNS poisoning and man-in-the-middle (MitM) attacks -- have been around for a while and are well known. Yet, they still work, so attackers continue to use them.
1. Cross-site scripting
- Stored XSS. The compromised application or website saves unsanitized user input and potentially executes script embedded in it without the user doing anything.
- Reflected XSS. Code gets injected into the browser when a user clicks on a link that contains the malicious payload. The code isn't stored on the website or application but is displayed through an HTTP response.
- Document Object Model (DOM)-based XSS. The attacker uses the DOM API to get the browser to execute the malicious injected code.
How to prevent cross-site scripting
Security teams and developers have the following options to combat XSS attacks:
- Use the Content-Security-Policy header. This header enables the website owner to limit the kinds of resources an end user can load from a particular webpage.
- Enable the HttpOnly flag. With this additional flag enabled, any protected cookies created cannot be accessed through a client-side script, provided the browser used supports HttpOnly.
- Validate user input. The browser should not trust anything from outside the system, such as an XSS script. Create an allowlist that highlights acceptable input. An application should clean and filter user input to prevent injection attacks.
2. Malicious browser plugins and extensions
How to prevent malicious browser extensions
A mix of technological and social controls can keep malicious extensions off users' browsers:
- Don't allow employees to install browser extensions or plugins on business devices. The value an extension provides rarely exceeds the potential harm of an attack.
- Require employees only use an enterprise browser. With that control, organizations can block extension installs.
- Use a tool to examine individual browser extensions. If the organization allows employees to install extensions, deploy a tool to inspect browser extensions or plugins to determine if they're safe.
3. Session hijacking
Whenever a user visits a website or web application, the server delivering the pages assigns the visit a unique session ID. During a predetermined session length -- whether it lasts five minutes or a day -- this ID is exchanged between the browser and the server to make sure the session remains valid and legitimate. If, for some reason, this ID is not encrypted, the browsing session could be intercepted by a malicious third party. They can apply the session ID to their browser and masquerade as that legitimate user. From here, the attacker could steal personal information, infect the user's device with malware or conduct a DDoS attack from that session.
How to prevent session hijacking
Manage users and systems to prevent a session hijacking attack by doing the following:
- Use HTTPS to encrypt data shared between the browser and web server.
- Enforce strong password policies, and require multifactor authentication (MFA).
- Require a VPN to encrypt employees' sessions if they access the internet over public Wi-Fi or anytime outside the organization's network.
- Update and manage software and security patches regularly.
4. DNS poisoning
Malicious attackers spoof DNS records to redirect a user from a legitimate website to a fraudulent one. The attackers' website is designed to capture login credentials, steal personal data or deploy a malicious payload through the browser to the endpoint. These attacks succeed when the fake website convincingly looks like the legitimate one. Users input login credentials often without noticing the switch.
How to prevent DNS poisoning
Simple precautions help prevent DNS poisoning, including the following:
- Educate users to not click suspicious URLs or download email attachments and to always check if the link is HTTPS.
- Mandate employees use a VPN when connecting to and browsing the internet.
- Implement end-to-end data encryption.
- Remove the DNS cache following a suspected DNS poisoning attack.
5. Man-in-the-middle attack
In a MitM attack, cyber attackers insert themselves between a web application or website and a user's browser. They can then listen in on communications between the user and the website to collect information such as login credentials. MitM attacks involve IP, DNS and Address Resolution Protocol spoofing to collect communication between the two parties. The MitM attack doesn't prevent the communication from reaching its destination; the attacker sees what's shared and lets it continue onward.
How to prevent man-in-the-middle attacks
Encrypted, protected internet traffic helps stop MitM losses. Also, do the following:
- Require employees to use VPNs to browse the internet when on business devices.
- Do not allow employees to connect to public networks, such as those provided free in coffee shops.
- Use public key infrastructure to keep communications encrypted and secure.
- Educate users to only visit websites that use HTTPS and to ensure the URL is correct.
- Implement MFA.