Abstract

In this paper, we present a systematic study of how to make a browser secure. Web browser is vulnerable to different attacks; these attacks are performed due to vulnerabilities in the UI of the web page, Browser cache memory, extensions, plug-in. The Attacker can run malicious JavaScript to exploit user system by using these vulnerabilities. Buffer overflow attack, Cross-site-scripting, Man-in-the-middle, Extension vulnerability, Extreme Phishing, Browser Cache poisoning, Session hijacking, Drive-by-download, Click-jacking attacks are discussed. Browser with electrolysis system and sandboxed processes are discussed to prevent the browser from attack.

References

• Adi, Saltzman, Roi and Sharabani,Active Man in the Middle Attacks: A Security Advisory, A whitepaper from IBM Rational Application Security Group, 2009
• Bhargavaand Chen, Daniel,Shastry,DeFreez,Jean-Pierre Haoand Seifert, A first look at Firefox OS security,Nashville, TN USA, 2011
• Xiaowei and Xue,Yuan,Li,A survey on web application security ,Nashville, TN USA, 2011
• Nicolas, Golubovic, Attacking Browser Extensions.
• Yue and Dong, Xinshu and Saxena,Jia,Prateek and Mao, Jian and Liang,Yaoqi and Chen,Zhenkai, Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning, computers security, 55, (2015)62–80
• V and PandianS,Nithya, Lakshmana and Malarvizhi, C,A Survey on Detection and Prevention of Cross-Site Scripting Attack,International Journal of Security and Its Applications,3,9,(2015),139–152
• Calton and Beattie,,Cowan, F and Pu, Steve and Walpole,Crispin and Wagle, Jonathan, Buffer Overflow : Attacks and defenses for the vulnerability of the decade,2,(2000)119–129
• Gurvinder,Kaur ,Study of Cross-Site Scripting Attacks and Their Countermeasures,International Journal of Computer Applications Technology and Research,10,3,(2014)604–609
• A Sankara,Narayanan, Clickjacking vulnerability and countermeasures, New York International Journal of Applied Information Systems, 2012
• David, Stefan, Deian and Yang, Petr and Russo, Edward Z and Marchenko, David and Karp, Alejandro and Herman,Brad and Mazieres, Protecting Users by Confining JavaScript with COWL, (2014)131–146
• Tarek S and Zaki,Ashraf and Sobh,Elgohary, Mohammed, Design of an enhancement for SSL/TLS protocols, 25, (2006)297–306
• Giovanni,Cova, Christopher and Vigna,Marco and Kruegel, Detection and analysis of drive-by-download attacks and malicious JavaScript code, (2010)281–290
• Jerry, Louis, Detection of session hijacking, 2011
• Manuel and Wurzinger, Egele, Peter and Kruegel, Engin, Christopher and Kirda, Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks, (2009)88–106
• P Vadivel and Alagarsamy,Murugan,K,BufferOverflow Attack– Vulnerability in Stack,International Journal of Computer Applications,5,13,(2011)1–2
• Rohilla, Rakesh,Monika and Kumar,XSS Attack: Detection and Prevention Techniques
• Adam and Felt, Barth,Adrienne Porter and SaxenaPrateek and Boodman, Aaron, Protecting Browsers from Extension Vulnerabilities, 2010
• Benjamin A and Brodley, Hilmi and Vijaykumar, Kuperman, TN and Jalote, Carla E and Ozdoganoglu, Ankit,Detection and prevention of stack buffer overflow attacks, Communications of the ACM11,48,(2005)50–56
• Hodges, Collin and Barth, Jeff and Jackson,Adam, Http strict transport security (hsts), 2012
• Gu, Boxuan and Zhang, Xiaole and Champion, Wenbin and Bai, Adam C and Qin, Dong,Feng and Xuan, Jsguard: shellcode detection in JavaScript, (2012)112–130
• Marchesini, Sean W and Zhao, John and Smith, Meiyuan, Keyjacking: the surprising insecurity of client-side SSL, Computers Security, 24, (2005)109–123
• Jia, Yue and Dong, Yaoqi and Chen,Xinshu and Saxena, Prateek and Mao, Jian and Liang, Zhenkai, Poster: Man-in-the-Browser-Cache: Persisting HTTPS Attacks via Browser Cache Poisoning
• Callegati, Walter and Ramilli, Franco and Cerroni, Marco, Man-inthe-Middle Attack to the HTTPS Protocol, IEEE Security Privacy, 7, (2009)78–81
• Eriksson, Mattias and Johansson, TT, An example of a man-in-themiddle attack against server authenticated ssl-sessions, 2003
• Fraser,Howard, Modern web attacks, Network Security, 2008, (2008)13– 15
• Matthias and Ben-David,Vallentin, Yahel, Persistent browser cache poisoning,2010
• Karapanos, Srdjan,Nikolaos and Capkun, On the Effective Prevention of TLS Man-In-The-Middle Attacks in Web Applications, 14, 2014
• Barth, Adrienne Porter,Adam and Felt,SaxenaPrateek and Boodman, Aaron, Protecting Browsers from Extension Vulnerabilities, 2010
• Jackson, Adam, Collin and Barth, Forcehttps: protecting high-security web sites from network attacks, (2008)525–534
• Vallentin, Yahel, Matthias and Ben-David, Quantifying persistent browser cache poisoning, 2014
• Jackson,Andrew and Boneh,Collin and Bortz,JohnC,D an and Mitchell, Protecting browser state from web privacy attacks, (2006)737–744
• Liang, Wei and Liu, Bin and You,Liangkun and Shi, Mario, Wenchang and Heiderich, Scriptless timing attacks on web browser privacy, (2014)112–123
• Jemel, Ahmed,Mayssa and Serhrouchni, Security assurance of local data stored by HTML5 web application, (2014)47–52
• Vishnoi, Monika and Tech,Laxman and Agarwal, MIT, Session Hijacking And Its Countermeasures, International Journal of Scientific Research Engineering and Technology (IJSRET), (2013)250–252
• Deepak Singh,Jain, Divya Rishi and Tomar, Vineeta and Sahu, Session Hijacking: Threat Analysis and Countermeasures
• Kapoor, Shray, Session hijacking exploiting TCP, UDP and HTTP sessions, infosecwriters. com/text resources/.../SKapoorSessionHijacking. pdf, 2006
• Ralf and Basin,Rolf and Hauser, David,Oppliger, SSL/TLS sessionaware user authentication revisited, Computers Security, 27,(2008)64–70
• Piekarska, Bhargava and Borgaonkar,Marta and Shastry, Ravishankar, Piekarska, Bhargava and Borgaonkar,Marta and Shastry, Ravishankar,What Does the Fox Say? On the Security Architecture of Firefox OS,(2014)172– 177
• Securing web browser, http://www.us-cert.gov/publications/ securing-your-web-browser
• Attacks on browser, http://www.owasp.org/index.php
• See fixed patches in mozilla on bugzilla, http://www.bugzilla.mozilla.org/quickserack=attachment
• Mozilla foundation security advisory, https://www.mozilla.org/en-US/ security/advisoris/mfsa2017-01
• How Appliction Cache works, https://developer.mozilla.org/en-US/ docs/web/HTML/Using the application cache
• All errors in Mozilla browser can see one time at,https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox
• Zhao, Rui and John, Stacy and Bussell,Samantha and Karas, Cara and Roberts, Daniel and Gavett,Jennifer and Six, Brandon and Yue, Chuan,The Highly Insidious Extreme Phishing Attacks,(2016)1–10
• Privilege escalation vulnerabilities in WebExtensions APIs, https://bugzilla.mozilla.org/showbug.cgi?id=1226423
• Pandikumar, T and Girma, Teklish,Analyzing Information Flow in Java based Browser Extensions,(2016)
• Chuan,Yue,The Devil Is Phishing: Rethinking Web Single Sign-On Systems Security.,(2013)
• Zhao,Chuan and Yi,Rui and Yue,Qing,Automatic detection of information leakage vulnerabilities in browser extensions,(2015)1384–1394
• Interger overflow in Websockets during data buffering, https://bugzilla.mozilla.org/showbug.cgi?id=1287266
• Buffer overflow rendering SVG with bidirectional content, https://bugzilla.mozilla.org/showbug.cgi?id=1270381
• Cross-site reading attack through data and view-source URIs, https://bugzilla.mozilla.org/showbug.cgi?id=1228950
• Integer overflow in MP4 playback in 64-bit versions, https://bugzilla.mozilla.org/showbug.cgi?id=1206211
• Same origin violation and local file stealing via PDF reader, https://bugzilla.mozilla.org/showbug.cgi?id=1178058
• Electrolysis and Accessbility, https://wiki.mozilla.org/Electrolysis/Accessibility
• Introduction to Electrolysis, https://wiki.mozilla.org/Electrolysis
• Electrolys and multiple content process, https://wiki.mozilla.org/Electrolysis/Multiplecontentprocesses
• Sandbox security process model https://wiki.mozilla.org/Security/Sandbox/Processmodel
• Hardening the Firefox Security Sandbox https://wiki.mozilla.org/Security/Sandbox/Hardening
• Tammo and Dewald,Rieck,Andreas,Konrad and Krueger,Cujo: efficient detection and prevention of drive-by-download attacks,(2010)31–39.
• Chariton, Argyroudis, Patroklos and Karamitas, Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap,Blackhat USA,2012
• Emery D,Novark, Gene and Berger, DieHarder: securing the heap,(2010) 573—584