In the last article
, we saw how miscreants exploit browser architecture vulnerabilities to target unsuspecting victim. In the second installment of browser vulnerabilities, we will explore other means whereby browser integrity is compromised to target users.
Cross-site Scripting (XSS)
Cross-site Scripting (XSS) refers to client side code injection attack. XSS attackers execute malicious scripts in a website. The main victims of XSS vulnerabilities are dynamic websites. Whenever web pages are generated on the fly by the web server, it is the client browser that interprets the page. Unlike static websites, where there is little or no scope for an attacker to inject code, dynamic website accepts user input. This allows attackers to exploit script vulnerabilities. This malicious code is not detected by either the browser interpreter
While the newer versions of browsers are protected to a large extent from XSS, the older versions are still prone to it.
XSS can be further sub divided as Stored XSS, Reflected XSS, and Document Object Model based XSS.
Denial of Service (DoS) Vulnerability
One interesting point to note is that while DoS attacks may be initiated from a single machine, they can be easily blocked by firewalls and other cyber security measures. These attackers therefore use a cluster of machines to carry out the attack. Simply put, it takes an orchestrated effort to effectively make a successful DoS attack.
Remote Code Execution Vulnerability
In a layman's term, remote code execution is an attacker's capability to access a device and make unauthorized changes to the devices programs / code, irrespective of where the machine is geographically located. Most browsers are vulnerable to this kind of attack. Attackers typically inject and execute shell code to give an attacker an easy way to manually run arbitrary commands. Not only browsers, but most languages are vulnerable to remote code execution vulnerability, and coders need to take adequate cyber security measures to prevent this from happening.
Buffer Overflow Vulnerability
Modern programming languages use variables to store data that cannot be defined at the time of writing of code. Arrays are a typical example of variables. These variables are allocated certain fixed length sequential memory slots to store the data. A buffer overflow typically occurs when more data is put in the memory slot than designated for it. When this happens, miscreants can exploit the situation. This is called as buffer overflow vulnerability.
Most of the browsers are vulnerable to remote code execution and memory corruption.
To summarize, there are various kind of browser vulnerabilities that cyber criminals / hackers can exploit. These vulnerabilities occur either due to inherent browser code bugs or faulty code. Browser companies constantly test and fix the vulnerabilities with security patches as and when required. It is also essential to let competent cyber security consultants assess code that company programmers have written. Only then can you mostly protect yourself from these vulnerabilities.
You may also like to read: