Web Browser Security

The web is absolutely necessary part of our lives. It is wide platform which is used for information sharing and service over internet. They are used for the financial, government, healthcare, education and many critical services. Everyday billions of user purchase items, transfer money, retrieve information and communicate over web with each other. Although the web is best friend of users because it provide anytime anywhere access to information and services at the same time. All things are created by human in the world so its reality that the things created by man are little bit problematic. So web applications are also created by human so it contains too many loopholes. The popularity of applications allure hackers towards them. Now a Days Securing and maintaining the websites against attack is very hard and challenging task. Finding loopholes in Web application, Computer system or network and exploiting them called hacking. New approaches for web attacks are invented day to day so the study of detect and prevent against web application attack and finding solution is important part in internet world. In this paper we introduced all web application based attack including two major attacks like XSS (Cross Site Scripting) and SQLI.

Phishing is the fraudulent acquisition of personal information like username, password, credit card information, etc. by tricking an individual into believing that the attacker is a trustworthy entity. It is affecting all the major sector of industry day by day with lots of misuse of user’s credentials. So in today online environment we need to protect the data from phishing and safeguard our information, which can be done through anti-phishing tools. Currently there are many freely available anti-phishing browser extensions tools that warns user when they are browsing a suspected phishing site. In this paper we did a literature survey of some of the commonly and popularly used anti-phishing browser extensions by reviewing the existing anti-phishing techniques along with their merits and demerits.

Cloud SSO is currently predicted as the next generation of SSO impelled by the popularization of SAMLbased Federation Identity (FIM). Inspired from the research
papers collected in the Literature Search, this Technical Report focuses on the emergent security issues in Cloud-Computingbased cross-domain SSO. As cloud authentication relies on Browser for I/O between client and remote servers, inherent web security deficiencies cause security risks on current browserbased
authentication protocols (i.e., Microsofts Passport and SAML protocols). A variety of approaches through integrating TLS with Same Origin Policy (SOP) devoting to mitigate the security pitfalls of this scenario are presented herein, thereby attempting to explore the potential of state-of-the-art security technologies against cloud SSO authentication challenges.

This article describes methods allowing identification of end stations based on information accessible through web browser. Information are analyzed without need to store any data on remote host computer. Identification method consists of creating of web browser fingerprint through data accessible via application programming interface (API) or headers of communications protocols. Accuracy of web browser identifications is more than 94 % regardless of the used operating system or web brow-ser. In this article, most frequently used methods of web browser fingerprinting (JavaScript, Flash, WebGL) are described. Further, we detail protection mechanisms against web browser fingerprinting.

“Warning, your computer is infected with spyware. Windows needs to download and install the anti-spyware updates to remedy this issue. Click OK to begin.” This is just one example of many popup warnings that spyware and malware creators use to try to mislead unsuspecting Internet users into downloading potentially harmful software. Falling prey to an illegitimate message could produce negative consequences that vary from bothersome computer performance to complete system failure. The purpose of this study was to determine which visual design cues, if any, would alert people to the illegitimacy of fake popup warning windows while browsing the Internet. Results indicated that most people did not behave in a cautious manner upon presentation of three different fake popup warning windows. Implications of the research are discussed.

With the ever-increasing use of banking-related services on the web, browsers have naturally drawn the attention of malware authors. They are interested in adjusting the behaviour of the browsers for their purposes, namely intercepting the content of web forms, modifying server responses manifested as webinjects, and confirming validity of spoofed SSL certificates. These goals are usually achieved by placing malicious code at certain addresses within a browser process.

It has been more than seven years now since the infamous Zeus bot first successfully took advantage of Mozilla Firefox by hooking specific exported functions, and the same approach has been widely used by others ever since. Moving to Microsoft Edge, the browser's developers have made their best efforts to mitigate arbitrary code execution, using technologies like Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG), but the focus is on stopping exploitation of the browser itself, rather than preventing execution of injected code delivered by a remote malicious process. Finally, cybercrooks seem to have the greatest trouble adapting their hooks in Google Chrome. Though it might not have been the primary intent of the developers, the custom implementation of its SSL functionality has resulted in a cat-and-mouse game thanks to the fact that the attack points are unexported and change regularly.

In our presentation we will guide the audience through an overview of the techniques used by major banking trojans in the wild. We are pleased to see that the ease of implementing hijacking methods is diminishing, and that attackers are under constant pressure to adopt changes. Moreover, security solutions offer various browser protections that work very well against existing methods. How do they handle that? Wouldn't it be great to see the mitigation in the first possible layer? We consider this as a topic for discussion. As a side result, we also transform our collected knowledge into a plug-in for the Volatility Framework that extends the functionality of apihooks within the scope of browsers.

With the ever-increasing use of banking-related services on the web, browsers have naturally drawn the attention of malware authors. They are interested in adjusting the behaviour of the browsers for their purposes, namely intercepting the content of web forms, modifying server responses manifested as webinjects, and confirming validity of spoofed SSL certificates. These goals are usually achieved by placing malicious code at certain addresses within a browser process. It has been more than seven years now since the infamous Zeus bot first successfully took advantage of Mozilla Firefox by hooking specific exported functions, and the same approach has been widely used by others ever since. Moving to Microsoft Edge, the browser's developers have made their best efforts to mitigate arbitrary code execution, using technologies like Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG), but the focus is on stopping exploitation of the browser itself, rather than preventing execut...

With the ever-increasing use of banking-related services on the web, browsers have naturally drawn the attention of malware authors. They are interested in adjusting the behaviour of the browsers for their purposes, namely intercepting the content of web forms, modifying server responses manifested as webinjects, and confi rming validity of spoofed SSL certifi cates. These goals are usually achieved by placing malicious code at certain addresses within a browser process. It has been more than seven years now since the infamous Zeus bot fi rst successfully took advantage of Mozilla Firefox by hooking specifi c exported functions, and the same approach has been widely used by others ever since. Moving to Microsoft Edge, the browser’s developers have made their best efforts to mitigate arbitrary code execution, using technologies like Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG), but the focus is on stopping exploitation of the browser itself, rather than preventing execut...