Call for Paper - January 2022 Edition
IJCA solicits original research papers for the January 2022 Edition. Last date of manuscript submission is December 20, 2021. Read More

Web Browser Security: Different Attacks Detection and Prevention Techniques

Print
PDF
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Year of Publication: 2017
Authors:
Patil Shital Satish, Chavan R. K.
10.5120/ijca2017914938

Patil Shital Satish and Chavan R K.. Web Browser Security: Different Attacks Detection and Prevention Techniques. International Journal of Computer Applications 170(9):35-41, July 2017. BibTeX

@article{10.5120/ijca2017914938,
	author = {Patil Shital Satish and Chavan R. K.},
	title = {Web Browser Security: Different Attacks Detection and Prevention Techniques},
	journal = {International Journal of Computer Applications},
	issue_date = {July 2017},
	volume = {170},
	number = {9},
	month = {Jul},
	year = {2017},
	issn = {0975-8887},
	pages = {35-41},
	numpages = {7},
	url = {http://www.ijcaonline.org/archives/volume170/number9/28100-2017914938},
	doi = {10.5120/ijca2017914938},
	publisher = {Foundation of Computer Science (FCS), NY, USA},
	address = {New York, USA}
}

Abstract

In this paper, we present a systematic study of how to make a browser secure. Web browser is vulnerable to different attacks; these attacks are performed due to vulnerabilities in the UI of the web page, Browser cache memory, extensions, plug-in. The Attacker can run malicious JavaScript to exploit user system by using these vulnerabilities. Buffer overflow attack, Cross-site-scripting, Man-in-the-middle, Extension vulnerability, Extreme Phishing, Browser Cache poisoning, Session hijacking, Drive-by-download, Click-jacking attacks are discussed. Browser with electrolysis system and sandboxed processes are discussed to prevent the browser from attack.

References

  1. Adi, Saltzman, Roi and Sharabani,Active Man in the Middle Attacks: A Security Advisory, A whitepaper from IBM Rational Application Security Group, 2009
  2. Bhargavaand Chen, Daniel,Shastry,DeFreez,Jean-Pierre Haoand Seifert, A first look at Firefox OS security,Nashville, TN USA, 2011
  3. Xiaowei and Xue,Yuan,Li,A survey on web application security ,Nashville, TN USA, 2011
  4. Nicolas, Golubovic, Attacking Browser Extensions.
  5. Yue and Dong, Xinshu and Saxena,Jia,Prateek and Mao, Jian and Liang,Yaoqi and Chen,Zhenkai, Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning, computers security, 55, (2015)62–80
  6. V and PandianS,Nithya, Lakshmana and Malarvizhi, C,A Survey on Detection and Prevention of Cross-Site Scripting Attack,International Journal of Security and Its Applications,3,9,(2015),139–152
  7. Calton and Beattie,,Cowan, F and Pu, Steve and Walpole,Crispin and Wagle, Jonathan, Buffer Overflow : Attacks and defenses for the vulnerability of the decade,2,(2000)119–129
  8. Gurvinder,Kaur ,Study of Cross-Site Scripting Attacks and Their Countermeasures,International Journal of Computer Applications Technology and Research,10,3,(2014)604–609
  9. A Sankara,Narayanan, Clickjacking vulnerability and countermeasures, New York International Journal of Applied Information Systems, 2012
  10. David, Stefan, Deian and Yang, Petr and Russo, Edward Z and Marchenko, David and Karp, Alejandro and Herman,Brad and Mazieres, Protecting Users by Confining JavaScript with COWL, (2014)131–146
  11. Tarek S and Zaki,Ashraf and Sobh,Elgohary, Mohammed, Design of an enhancement for SSL/TLS protocols, 25, (2006)297–306
  12. Giovanni,Cova, Christopher and Vigna,Marco and Kruegel, Detection and analysis of drive-by-download attacks and malicious JavaScript code, (2010)281–290
  13. Jerry, Louis, Detection of session hijacking, 2011
  14. Manuel and Wurzinger, Egele, Peter and Kruegel, Engin, Christopher and Kirda, Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks, (2009)88–106
  15. P Vadivel and Alagarsamy,Murugan,K,BufferOverflow Attack– Vulnerability in Stack,International Journal of Computer Applications,5,13,(2011)1–2
  16. Rohilla, Rakesh,Monika and Kumar,XSS Attack: Detection and Prevention Techniques
  17. Adam and Felt, Barth,Adrienne Porter and SaxenaPrateek and Boodman, Aaron, Protecting Browsers from Extension Vulnerabilities, 2010
  18. Benjamin A and Brodley, Hilmi and Vijaykumar, Kuperman, TN and Jalote, Carla E and Ozdoganoglu, Ankit,Detection and prevention of stack buffer overflow attacks, Communications of the ACM11,48,(2005)50–56
  19. Hodges, Collin and Barth, Jeff and Jackson,Adam, Http strict transport security (hsts), 2012
  20. Gu, Boxuan and Zhang, Xiaole and Champion, Wenbin and Bai, Adam C and Qin, Dong,Feng and Xuan, Jsguard: shellcode detection in JavaScript, (2012)112–130
  21. Marchesini, Sean W and Zhao, John and Smith, Meiyuan, Keyjacking: the surprising insecurity of client-side SSL, Computers Security, 24, (2005)109–123
  22. Jia, Yue and Dong, Yaoqi and Chen,Xinshu and Saxena, Prateek and Mao, Jian and Liang, Zhenkai, Poster: Man-in-the-Browser-Cache: Persisting HTTPS Attacks via Browser Cache Poisoning
  23. Callegati, Walter and Ramilli, Franco and Cerroni, Marco, Man-inthe-Middle Attack to the HTTPS Protocol, IEEE Security Privacy, 7, (2009)78–81
  24. Eriksson, Mattias and Johansson, TT, An example of a man-in-themiddle attack against server authenticated ssl-sessions, 2003
  25. Fraser,Howard, Modern web attacks, Network Security, 2008, (2008)13– 15
  26. Matthias and Ben-David,Vallentin, Yahel, Persistent browser cache poisoning,2010
  27. Karapanos, Srdjan,Nikolaos and Capkun, On the Effective Prevention of TLS Man-In-The-Middle Attacks in Web Applications, 14, 2014
  28. Barth, Adrienne Porter,Adam and Felt,SaxenaPrateek and Boodman, Aaron, Protecting Browsers from Extension Vulnerabilities, 2010
  29. Jackson, Adam, Collin and Barth, Forcehttps: protecting high-security web sites from network attacks, (2008)525–534
  30. Vallentin, Yahel, Matthias and Ben-David, Quantifying persistent browser cache poisoning, 2014
  31. Jackson,Andrew and Boneh,Collin and Bortz,JohnC,D an and Mitchell, Protecting browser state from web privacy attacks, (2006)737–744
  32. Liang, Wei and Liu, Bin and You,Liangkun and Shi, Mario, Wenchang and Heiderich, Scriptless timing attacks on web browser privacy, (2014)112–123
  33. Jemel, Ahmed,Mayssa and Serhrouchni, Security assurance of local data stored by HTML5 web application, (2014)47–52
  34. Vishnoi, Monika and Tech,Laxman and Agarwal, MIT, Session Hijacking And Its Countermeasures, International Journal of Scientific Research Engineering and Technology (IJSRET), (2013)250–252
  35. Deepak Singh,Jain, Divya Rishi and Tomar, Vineeta and Sahu, Session Hijacking: Threat Analysis and Countermeasures
  36. Kapoor, Shray, Session hijacking exploiting TCP, UDP and HTTP sessions, infosecwriters. com/text resources/.../SKapoorSessionHijacking. pdf, 2006
  37. Ralf and Basin,Rolf and Hauser, David,Oppliger, SSL/TLS sessionaware user authentication revisited, Computers Security, 27,(2008)64–70
  38. Piekarska, Bhargava and Borgaonkar,Marta and Shastry, Ravishankar, Piekarska, Bhargava and Borgaonkar,Marta and Shastry, Ravishankar,What Does the Fox Say? On the Security Architecture of Firefox OS,(2014)172– 177
  39. Securing web browser, http://www.us-cert.gov/publications/ securing-your-web-browser
  40. Attacks on browser, http://www.owasp.org/index.php
  41. See fixed patches in mozilla on bugzilla, http://www.bugzilla.mozilla.org/quickserack=attachment
  42. Mozilla foundation security advisory, https://www.mozilla.org/en-US/ security/advisoris/mfsa2017-01
  43. How Appliction Cache works, https://developer.mozilla.org/en-US/ docs/web/HTML/Using the application cache
  44. All errors in Mozilla browser can see one time at,https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox
  45. Zhao, Rui and John, Stacy and Bussell,Samantha and Karas, Cara and Roberts, Daniel and Gavett,Jennifer and Six, Brandon and Yue, Chuan,The Highly Insidious Extreme Phishing Attacks,(2016)1–10
  46. Privilege escalation vulnerabilities in WebExtensions APIs, https://bugzilla.mozilla.org/showbug.cgi?id=1226423
  47. Pandikumar, T and Girma, Teklish,Analyzing Information Flow in Java based Browser Extensions,(2016)
  48. Chuan,Yue,The Devil Is Phishing: Rethinking Web Single Sign-On Systems Security.,(2013)
  49. Zhao,Chuan and Yi,Rui and Yue,Qing,Automatic detection of information leakage vulnerabilities in browser extensions,(2015)1384–1394
  50. Interger overflow in Websockets during data buffering, https://bugzilla.mozilla.org/showbug.cgi?id=1287266
  51. Buffer overflow rendering SVG with bidirectional content, https://bugzilla.mozilla.org/showbug.cgi?id=1270381
  52. Cross-site reading attack through data and view-source URIs, https://bugzilla.mozilla.org/showbug.cgi?id=1228950
  53. Integer overflow in MP4 playback in 64-bit versions, https://bugzilla.mozilla.org/showbug.cgi?id=1206211
  54. Same origin violation and local file stealing via PDF reader, https://bugzilla.mozilla.org/showbug.cgi?id=1178058
  55. Electrolysis and Accessbility, https://wiki.mozilla.org/Electrolysis/Accessibility
  56. Introduction to Electrolysis, https://wiki.mozilla.org/Electrolysis
  57. Electrolys and multiple content process, https://wiki.mozilla.org/Electrolysis/Multiplecontentprocesses
  58. Sandbox security process model https://wiki.mozilla.org/Security/Sandbox/Processmodel
  59. Hardening the Firefox Security Sandbox https://wiki.mozilla.org/Security/Sandbox/Hardening
  60. Tammo and Dewald,Rieck,Andreas,Konrad and Krueger,Cujo: efficient detection and prevention of drive-by-download attacks,(2010)31–39.
  61. Chariton, Argyroudis, Patroklos and Karamitas, Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap,Blackhat USA,2012
  62. Emery D,Novark, Gene and Berger, DieHarder: securing the heap,(2010) 573—584

Keywords

Web application security, Heap overflow, Electrolysis, Sandboxing