SlideShare a Scribd company logo

Browser Security ppt.pptx

Download as PPTX, PDF
A
AjaySahre

The document discusses browser security. It begins by explaining how initial web protocols assumed cooperation but security became important as usage increased. It then discusses how browsers work, including how they access web pages using HTTP and display content. The document outlines some threats to browser security like zero-day exploits, cross-site scripting, and phishing. It also discusses the security versus usability tradeoff in browser design.

Career
1 of 17
COLLEGE OF APPLIED SCIENCE AND PROFESSIONAL STUDIES, CHIKHLI VEER NARMAD SOUTH GUJARAT UNIVERSITY BACHLOR OF COMPUTER APPLICATION(B.C.A.) 3rd YEAR SEMINAR REPORT ON “BROWSER SECURITY” GUIDED BY: SUBMITTED BY: ASS. PROF. AMISH D. VYASH PATEL DIGISHAKUMARI.P.
INTRODUCTION: The initial design of internet and web protocols assumed an environment where servers, clients, and routers cooperate and follow standard protocols except for unintentional errors. However, as the amount sensitivity of usage increased, concerns about security, fraud and attacks became important. In particular, since currently internet access is widely available, it is very easy for attackers to obtain many client (and even host) connections and addresses, and use them to launch different attacks, both on the networking itself and on other hosts and clients. Today's attackers are more likely to host their malicious files on the web. They may even update those files constantly using automated tools. When you are surfing the Internet, it is easy to visit sites you think are safe but are not. These sites can introduce malware when you click the site itself, when you download a file from the site manually and install it, or worse, when you are conned into believing the site you are visiting is a real site, but in fact is nothing more than a fake used to garner your personal information. From a network security perspective, a browser is essentially a somewhat controlled hole in your organization’s firewall that leads to the heart of what it is you are trying to protect. While browser designers do try to limit what attackers can do from within a browser, much of the security relies far too heavily on the browser user, who often has other interests besides security. There are limits to what a browser developer can compensate for, and browser users will not always accept the constraints of security that a browser establishes.
WEB BROWSER: Web browsers, often referred to just as browsers, are software applications used to locate and display Web pages on the World Wide Web. While this is the most popular usage, browsers can also be used to access and view content on a private or local network as well. but not all browsers are graphical browsers, which mean that they can display graphics as well as text. In addition, most modern browsers can present multimedia information, including sound and video, though they require plug-ins for some formats. Browser and Network
HOW WEB BROWSERS WORK?  The World Wide Web is a system of Internet servers that support specially formatted documents.  Web browsers are used to make it easy to access the World Wide Web.  rowsers are able to display Web pages largely in part to an underlying Web protocol called Hyper Text Transfer Protocol.  HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.  It is what allows Web clients and Web servers to communicate with each other. Open Browser Engineering Issues Other than the general design of HTTP, HTML, and related mechanisms discussed previously, a handful of browser engineering decisions tend to contribute to a disproportional of day-to-day security woes.  Relatively unsafe core programming languages: C++ is used for a majority of code in Internet Explorer, Firefox, Safari, Opera, and Chrome; C is used in certain highperformance or low-level areas, such as image manipulation libraries.  No security compartmentalization: once control of the process is seized due to common implementation flaws, most browsers provide essentially unconstrained access to the user context they are running in.
WHY BROWSER SECURITY? The web browser is the primary connection to the rest of the internet, and multiple applications may rely on the browser, or elements within the browser, to function. This makes the security settings within the browser even more important. Many web applications try to enhance the browsing experience by enabling different types of functionality, but this functionality might be unnecessary and may leave you susceptible to being attacked. The safest policy is to disable the majority of those features unless you decide they are necessary. If you determine that a site is trustworthy, you can choose to enable the functionality temporarily and then disable it once you are finished visiting the site. While every application has settings that are selected by default, you may discover that the browser also has predefined security levels that you can select. For example, Internet Explorer offers custom settings that allow you to select a particular level of security; features are enabled or disabled based on the selection. Even with these guides, it is helpful to have an understanding of what the different terms mean so that you can evaluate the features to determine which settings are appropriate for you. Consider AJAX, also known as Asynchronous JavaScript and XML. A Web page can contain code that establishes a network connection back to a server and conducts a conversation with that server that might bypass any number of security mechanisms integrated into the browser. The growing popularity of AJAX as a user-interface technique means an enterprise network often allows these connections, so that popular sites can function correctly.
Ajax is built on Dynamic HTML (DHTML) technologies, including these most common ones:  JavaScript: JavaScript is a scripting language commonly used in client-slide Web applications.  Document Object Model (DOM): DOM is a standard object model for representing HTML or XML documents. Most of today’s browsers support DOM and allow JavaScript code to read and modify the HTML content dynamically.  Cascading Style Sheets (CSS): CSS is a stylesheet language used to describe the presentation of HTML documents. JavaScript can modify the stylesheet at run time, allowing the presentation of the Web page to update dynamically.  XMLHttpRequest: XMLHttpRequest is an API that allows client-side JavaScript to make HTTP connections to remote servers and to exchange data, such as plain text, XML, or JavaScript Serialized Object Notation (JSON).  JSON: JSON, as proposed in Request for Comments (RFC) 4627, is a lightweight, textbased, language- independent, data-interchange format.
Advantages of Browser security 1.It is easier and cheaper to make a web-based system user friendly across more platfrome and screen sizes because it is one system that adapts to the screen. 2. Employees can work from different offices,a client's site,a hotel or even from home. 3. Your company could impress clients with a modern web portal and improve customer service with an automated process. 4. As everyone accesses the same web app via the same URL,the content will always be up to date. Disadvantages of Browser security 1.If your internet connection gose down or you are in an area that cannot connect,you will not be able to access a web. 2. Data may be less secure in the cloud,but protective measures like email encryption and SSL enforcement can be installed. 3. Different people have different browser preferences so you will need to check your application is congruent between browser.
THREATS Threat is an indication of impending danger or harm. Today's attackers are more likely to host their malicious files on the web. They may even update those files constantly using automated tools. Types of Threats  Zero-day exploit A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others, undisclosed to the software vendor, or for which no security fix is available. Zero- day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software vendor knows about the vulnerability. The term derives from the age of the exploit. When a vendor becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A "zero day" attack occurs on or before the first or "zeroth" day of vendor awareness, meaning the vendor has not had any opportunity to disseminate a security fix to users of the software. (In computer science, numbering often starts at zero instead of one.)
Cross-site Scripting (XSS) XSS is a common attack in which an attacker injects a malicious piece of code into an otherwise benign site. The two basic types of XSS attacks are:  Reflected XSS  Stored XSS A reflected XSS attack exploits vulnerable Web applications that display input parameters back to the browser without checking for the presence of active content in them. Typically, an attacker lures victims into clicking on the URL, as shown below. Cross-site reference forgery Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF ("sea- surf") or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
… FIGURE 2: EXAMPLE OF A CSRF HOLE IN COMMERCIAL BANKING SOFTWARE THE ATTACK WORKS BY INCLUDING A LINK OR SCRIPT IN A PAGE THAT ACCESSES A SITE TO WHICH THE USER IS KNOWN (OR IS SUPPOSED) TO HAVE AUTHENTICATED. FOR EXAMPLE, ONE USER, BOB, MIGHT BE BROWSING A CHAT FORUM WHERE ANOTHER USER, MALLORY, HAS POSTED A MESSAGE.
PHISHING  Phishing Techniques: Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.  Link manipulation : Most methods of phishing use some form of technical deception designed to make a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. phishing) section of the example website. Another common trick is to make the anchor text for a link appear to be valid, when the link actually goes to the phishers' site. The following example link, http://en.wikipedia.org/wiki/Genuine, appears to take you to an article entitled "Genuine"; clicking on it will in fact take you to the article entitled "Deception".  Filter evasion: Phishers have used images instead of text to make it harder for antiphishing filters to detect text commonly used in phishing e-mails.
HOW DO WE KNOW?  Phishers, pretending to be legitimate companies, may use email to request personal information and direct recipients to respond through malicious web sites  Phishers tend to use emotional language using scare tactics or urgent requests to entice recipients to respond  The phish sites can look remarkably like legitimate sites because they tend to use the copyrighted images from legitimate sites  Requests for confidential information via email or Instant Message tend to not be legitimate  Fraudulent messages are often not personalized and may share similar properties like details in the header and footer
COOKIES A cookie (also tracking cookie, browser cookie, and HTTP cookie) is a small piece of text stored on a user's computer by a web browser. A cookie consists of one or more name-value pairs containing bits of information such as user preferences, shopping cart contents, the identifier for a server- based session, or other data used by websites.  Figure 4: Setting a cookie
USES OF COOKIES  Session management Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits.  Personalization: Many websites use cookies for personalization based on users' preferences. Users select their preferences by entering them in a web form and submitting the form to the server. Variations • Session cookies – Session cookies are stored on you hard drive only during the time that you are at a particular site. They are automatically deleted when you terminate your session. • Persistent cookies – Persistent cookies store on your personal preferences on your computer for an extended period of time. • Third-party cookies -- Images or other objects contained in a Web page may reside in servers different from the one holding the page.
SECURITY VERSUS USABILITY Usability and security have long been at odds with each other in software design The browser is no exception to that rule. When browsing the Web or downloading files the user constantly needs to make choices about whether to trust a site or the content accessed from that site. Browser approaches to this have evolved over time—for example, browsers used to give a slight warning if you accessed a site with an invalid HTTPS certificate; now most browsers block sites with invalid certificates and make the user figure out how to unblock them. Similar approaches are taken with file downloads. Internet Explorer tends to ask the user several times before opening a downloaded file, especially if the file is not signed. Prompting the user for actions that are legitimate most of the time often creates user fatigue, which makes the user careless in walking the tightrope between software with a “reasonable but not excessive” security posture and a package that is either too open for safety or too closed to be useful. Most browsers today have evolved from the “make the user make the choice” model to the “block and require explicit override action” model.
SECURITY IMPLEMENTATIONS AND BROWSERS SSL is the protocol between two points, usually browser and server. The weaknesses in the system usually are due to the browser, not the protocol. The cookie (incident) has nothing to do with SSL. The cookie is something that is associated with an HTTP session--it's actually a Web standard. The cookie idea was invented to make sure that you can have a long session on the Web, before SSL (came into the picture). CONCLUSION Browsers are at the heart of the Internet experience, and as such they are also at the heart of many of the security problems that plague users and developers alike. As the sensitivity of internet usage increased concerns about security, fraud and attacks became important. There are limits to what a browser developer can compensate for, and browser users will not always accept the constraints of security that a browser establishes. Attack and defense strategies are coevolving, as are the use and threat models.
Browser Security ppt.pptx

Recommended

WhatsApp security
WhatsApp securityWhatsApp security
WhatsApp security
Javi Hurtado
 
How internet works
How internet worksHow internet works
How internet works
ANurag Kumar
 
Web browser(pp ts)
Web browser(pp ts)Web browser(pp ts)
Web browser(pp ts)
darpan1118
 
All About Internet Services
All About Internet ServicesAll About Internet Services
All About Internet Services
Varun
 
How Computer Viruses Work
How Computer Viruses WorkHow Computer Viruses Work
How Computer Viruses Work
Cerise Anderson
 
History of Computer Virus
History of Computer Virus History of Computer Virus
History of Computer Virus
Ammy Vijay
 
SERVICES ON THE INTERNET
SERVICES ON THE INTERNETSERVICES ON THE INTERNET
SERVICES ON THE INTERNET
Riya Gupta
 
Googlechrome ppt
Googlechrome pptGooglechrome ppt
Googlechrome ppt
abshah37
 

Recommended

WhatsApp security
WhatsApp securityWhatsApp security
WhatsApp security
Javi Hurtado
 
How internet works
How internet worksHow internet works
How internet works
ANurag Kumar
 
Web browser(pp ts)
Web browser(pp ts)Web browser(pp ts)
Web browser(pp ts)
darpan1118
 
All About Internet Services
All About Internet ServicesAll About Internet Services
All About Internet Services
Varun
 
How Computer Viruses Work
How Computer Viruses WorkHow Computer Viruses Work
How Computer Viruses Work
Cerise Anderson
 
History of Computer Virus
History of Computer Virus History of Computer Virus
History of Computer Virus
Ammy Vijay
 
SERVICES ON THE INTERNET
SERVICES ON THE INTERNETSERVICES ON THE INTERNET
SERVICES ON THE INTERNET
Riya Gupta
 
Googlechrome ppt
Googlechrome pptGooglechrome ppt
Googlechrome ppt
abshah37
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
How the internet works
How the internet worksHow the internet works
How the internet works
ftcim
 
Exchange server.pptx
Exchange server.pptxExchange server.pptx
Exchange server.pptx
Vignesh kumar
 
Exchange 2013 Architecture Details
Exchange 2013 Architecture DetailsExchange 2013 Architecture Details
Exchange 2013 Architecture Details
Huy Phạm
 
Ransomware
RansomwareRansomware
Ransomware
Nick Miller
 
Internet
InternetInternet
Internet
Sonika koul
 
Computer virus
Computer virusComputer virus
Computer virus
Shubham_Indrawat
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
Alfred George
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
MarketingArrowECS_CZ
 
Internet
InternetInternet
Internet
NeilfieOrit2
 
The Internet: All about the Internet
The Internet: All about the InternetThe Internet: All about the Internet
The Internet: All about the Internet
SweetLynStockwell
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
What is malware
What is malwareWhat is malware
What is malware
Malcolm York
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
Sukrit Gupta
 
Malware and it's types
Malware and it's typesMalware and it's types
Malware and it's types
Aakash Baloch
 
Email security presentation
Email security presentationEmail security presentation
Email security presentation
SubhradeepMaji
 
Services provided by the internet
Services provided by the internetServices provided by the internet
Services provided by the internet
Ma.Elena Deguito
 
Malicious software
Malicious softwareMalicious software
Malicious software
msdeepika
 
World wide web (WWW)
World wide web (WWW)World wide web (WWW)
World wide web (WWW)
Mishuk Hossan
 
unified threat management by Nisha Menon K
unified threat management by Nisha Menon K unified threat management by Nisha Menon K
unified threat management by Nisha Menon K
Nisha Menon K
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
mehr77
 

More Related Content

What's hot

How the internet works
How the internet worksHow the internet works
How the internet works
ftcim
 
Exchange 2013 Architecture Details
Exchange 2013 Architecture DetailsExchange 2013 Architecture Details
Exchange 2013 Architecture Details
Huy Phạm
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
Sukrit Gupta
 
Services provided by the internet
Services provided by the internetServices provided by the internet
Services provided by the internet
Ma.Elena Deguito
 
Malicious software
Malicious softwareMalicious software
Malicious software
msdeepika
 

What's hot (20)

Mobile security
Mobile securityMobile security
Mobile security
 
How the internet works
How the internet worksHow the internet works
How the internet works
 
Exchange server.pptx
Exchange server.pptxExchange server.pptx
Exchange server.pptx
 
Exchange 2013 Architecture Details
Exchange 2013 Architecture DetailsExchange 2013 Architecture Details
Exchange 2013 Architecture Details
 
Ransomware
RansomwareRansomware
Ransomware
 
Internet
InternetInternet
Internet
 
Computer virus
Computer virusComputer virus
Computer virus
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Internet
InternetInternet
Internet
 
The Internet: All about the Internet
The Internet: All about the InternetThe Internet: All about the Internet
The Internet: All about the Internet
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
What is malware
What is malwareWhat is malware
What is malware
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
Malware and it's types
Malware and it's typesMalware and it's types
Malware and it's types
 
Email security presentation
Email security presentationEmail security presentation
Email security presentation
 
Services provided by the internet
Services provided by the internetServices provided by the internet
Services provided by the internet
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
World wide web (WWW)
World wide web (WWW)World wide web (WWW)
World wide web (WWW)
 
unified threat management by Nisha Menon K
unified threat management by Nisha Menon K unified threat management by Nisha Menon K
unified threat management by Nisha Menon K
 

Similar to Browser Security ppt.pptx

Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
mehr77
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Browser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1OutliBrowser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1Outli
VannaSchrader3
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
 
Web Development ​.pdf
Web Development ​.pdfWeb Development ​.pdf
Web Development ​.pdf
Ishani Jerin
 

Similar to Browser Security ppt.pptx (20)

Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Ch21 system administration
Ch21 system administration Ch21 system administration
Ch21 system administration
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Use
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
 
Browser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1OutliBrowser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1Outli
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
 
Web Development ​.pdf
Web Development ​.pdfWeb Development ​.pdf
Web Development ​.pdf
 
Web services
Web servicesWeb services
Web services
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
configuring and using internet.pptx
configuring and using internet.pptxconfiguring and using internet.pptx
configuring and using internet.pptx
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 

More from AjaySahre

36890126-Blue-Eyes.ppt
36890126-Blue-Eyes.ppt36890126-Blue-Eyes.ppt
36890126-Blue-Eyes.ppt
AjaySahre
 
ZigBee technology.pptx
ZigBee technology.pptxZigBee technology.pptx
ZigBee technology.pptx
AjaySahre
 
40005571-H323MCU-Functionality.ppt
40005571-H323MCU-Functionality.ppt40005571-H323MCU-Functionality.ppt
40005571-H323MCU-Functionality.ppt
AjaySahre
 

More from AjaySahre (8)

e-paper.pptx
e-paper.pptxe-paper.pptx
e-paper.pptx
 
a-Blue-Eyes.pptx
a-Blue-Eyes.pptxa-Blue-Eyes.pptx
a-Blue-Eyes.pptx
 
Smart Cards.pptx
Smart Cards.pptxSmart Cards.pptx
Smart Cards.pptx
 
36890126-Blue-Eyes.ppt
36890126-Blue-Eyes.ppt36890126-Blue-Eyes.ppt
36890126-Blue-Eyes.ppt
 
ZigBee technology.pptx
ZigBee technology.pptxZigBee technology.pptx
ZigBee technology.pptx
 
Presentation.pptx
Presentation.pptxPresentation.pptx
Presentation.pptx
 
40005571-H323MCU-Functionality.ppt
40005571-H323MCU-Functionality.ppt40005571-H323MCU-Functionality.ppt
40005571-H323MCU-Functionality.ppt
 
51775454-SMART-CARDS.ppt
51775454-SMART-CARDS.ppt51775454-SMART-CARDS.ppt
51775454-SMART-CARDS.ppt
 

Recently uploaded

太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
foismail170
 
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
foismail170
 
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdfDr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam
 
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
larisashrestha558
 
Transferable Skills - Your Roadmap - Part 1 and 2 - Dirk Spencer Senior Recru...
Transferable Skills - Your Roadmap - Part 1 and 2 - Dirk Spencer Senior Recru...Transferable Skills - Your Roadmap - Part 1 and 2 - Dirk Spencer Senior Recru...
Transferable Skills - Your Roadmap - Part 1 and 2 - Dirk Spencer Senior Recru...
Dirk Spencer Corporate Recruiter LION
 
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
foismail170
 

Recently uploaded (20)

太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
 
0524.priorspeakingengagementslist-01.pdf
0524.priorspeakingengagementslist-01.pdf0524.priorspeakingengagementslist-01.pdf
0524.priorspeakingengagementslist-01.pdf
 
Widal Agglutination Test: A rapid serological diagnosis of typhoid fever
Widal Agglutination Test: A rapid serological diagnosis of typhoid feverWidal Agglutination Test: A rapid serological diagnosis of typhoid fever
Widal Agglutination Test: A rapid serological diagnosis of typhoid fever
 
133. Reviewer Certificate in Advances in Research
133. Reviewer Certificate in Advances in Research133. Reviewer Certificate in Advances in Research
133. Reviewer Certificate in Advances in Research
 
Operating system. short answes and Interview questions .pdf
Operating system. short answes and Interview questions .pdfOperating system. short answes and Interview questions .pdf
Operating system. short answes and Interview questions .pdf
 
0524.THOMASGIRARD_CURRICULUMVITAE-01.pdf
0524.THOMASGIRARD_CURRICULUMVITAE-01.pdf0524.THOMASGIRARD_CURRICULUMVITAE-01.pdf
0524.THOMASGIRARD_CURRICULUMVITAE-01.pdf
 
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
 
129. Reviewer Certificate in BioNature [2024]
129. Reviewer Certificate in BioNature [2024]129. Reviewer Certificate in BioNature [2024]
129. Reviewer Certificate in BioNature [2024]
 
0524.THOMASGIRARD_SINGLEPAGERESUME-01.pdf
0524.THOMASGIRARD_SINGLEPAGERESUME-01.pdf0524.THOMASGIRARD_SINGLEPAGERESUME-01.pdf
0524.THOMASGIRARD_SINGLEPAGERESUME-01.pdf
 
Heidi Livengood Resume Senior Technical Recruiter / HR Generalist
Heidi Livengood Resume Senior Technical Recruiter / HR GeneralistHeidi Livengood Resume Senior Technical Recruiter / HR Generalist
Heidi Livengood Resume Senior Technical Recruiter / HR Generalist
 
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdfDr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
 
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
 
Day care leadership document it helps to a person who needs caring children
Day care leadership document it helps to a person who needs caring childrenDay care leadership document it helps to a person who needs caring children
Day care leadership document it helps to a person who needs caring children
 
135. Reviewer Certificate in Journal of Engineering
135. Reviewer Certificate in Journal of Engineering135. Reviewer Certificate in Journal of Engineering
135. Reviewer Certificate in Journal of Engineering
 
D.El.Ed. College List -Session 2024-26.pdf
D.El.Ed. College List -Session 2024-26.pdfD.El.Ed. College List -Session 2024-26.pdf
D.El.Ed. College List -Session 2024-26.pdf
 
134. Reviewer Certificate in Computer Science
134. Reviewer Certificate in Computer Science134. Reviewer Certificate in Computer Science
134. Reviewer Certificate in Computer Science
 
Biography and career history of Chad Henson.pdf
Biography and career history of Chad Henson.pdfBiography and career history of Chad Henson.pdf
Biography and career history of Chad Henson.pdf
 
132. Acta Scientific Pharmaceutical Sciences
132. Acta Scientific Pharmaceutical Sciences132. Acta Scientific Pharmaceutical Sciences
132. Acta Scientific Pharmaceutical Sciences
 
Transferable Skills - Your Roadmap - Part 1 and 2 - Dirk Spencer Senior Recru...
Transferable Skills - Your Roadmap - Part 1 and 2 - Dirk Spencer Senior Recru...Transferable Skills - Your Roadmap - Part 1 and 2 - Dirk Spencer Senior Recru...
Transferable Skills - Your Roadmap - Part 1 and 2 - Dirk Spencer Senior Recru...
 
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
 

Browser Security ppt.pptx

  • 1. COLLEGE OF APPLIED SCIENCE AND PROFESSIONAL STUDIES, CHIKHLI VEER NARMAD SOUTH GUJARAT UNIVERSITY BACHLOR OF COMPUTER APPLICATION(B.C.A.) 3rd YEAR SEMINAR REPORT ON “BROWSER SECURITY” GUIDED BY: SUBMITTED BY: ASS. PROF. AMISH D. VYASH PATEL DIGISHAKUMARI.P.
  • 2. INTRODUCTION: The initial design of internet and web protocols assumed an environment where servers, clients, and routers cooperate and follow standard protocols except for unintentional errors. However, as the amount sensitivity of usage increased, concerns about security, fraud and attacks became important. In particular, since currently internet access is widely available, it is very easy for attackers to obtain many client (and even host) connections and addresses, and use them to launch different attacks, both on the networking itself and on other hosts and clients. Today's attackers are more likely to host their malicious files on the web. They may even update those files constantly using automated tools. When you are surfing the Internet, it is easy to visit sites you think are safe but are not. These sites can introduce malware when you click the site itself, when you download a file from the site manually and install it, or worse, when you are conned into believing the site you are visiting is a real site, but in fact is nothing more than a fake used to garner your personal information. From a network security perspective, a browser is essentially a somewhat controlled hole in your organization’s firewall that leads to the heart of what it is you are trying to protect. While browser designers do try to limit what attackers can do from within a browser, much of the security relies far too heavily on the browser user, who often has other interests besides security. There are limits to what a browser developer can compensate for, and browser users will not always accept the constraints of security that a browser establishes.
  • 3. WEB BROWSER: Web browsers, often referred to just as browsers, are software applications used to locate and display Web pages on the World Wide Web. While this is the most popular usage, browsers can also be used to access and view content on a private or local network as well. but not all browsers are graphical browsers, which mean that they can display graphics as well as text. In addition, most modern browsers can present multimedia information, including sound and video, though they require plug-ins for some formats. Browser and Network
  • 4. HOW WEB BROWSERS WORK?  The World Wide Web is a system of Internet servers that support specially formatted documents.  Web browsers are used to make it easy to access the World Wide Web.  rowsers are able to display Web pages largely in part to an underlying Web protocol called Hyper Text Transfer Protocol.  HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.  It is what allows Web clients and Web servers to communicate with each other. Open Browser Engineering Issues Other than the general design of HTTP, HTML, and related mechanisms discussed previously, a handful of browser engineering decisions tend to contribute to a disproportional of day-to-day security woes.  Relatively unsafe core programming languages: C++ is used for a majority of code in Internet Explorer, Firefox, Safari, Opera, and Chrome; C is used in certain highperformance or low-level areas, such as image manipulation libraries.  No security compartmentalization: once control of the process is seized due to common implementation flaws, most browsers provide essentially unconstrained access to the user context they are running in.
  • 5. WHY BROWSER SECURITY? The web browser is the primary connection to the rest of the internet, and multiple applications may rely on the browser, or elements within the browser, to function. This makes the security settings within the browser even more important. Many web applications try to enhance the browsing experience by enabling different types of functionality, but this functionality might be unnecessary and may leave you susceptible to being attacked. The safest policy is to disable the majority of those features unless you decide they are necessary. If you determine that a site is trustworthy, you can choose to enable the functionality temporarily and then disable it once you are finished visiting the site. While every application has settings that are selected by default, you may discover that the browser also has predefined security levels that you can select. For example, Internet Explorer offers custom settings that allow you to select a particular level of security; features are enabled or disabled based on the selection. Even with these guides, it is helpful to have an understanding of what the different terms mean so that you can evaluate the features to determine which settings are appropriate for you. Consider AJAX, also known as Asynchronous JavaScript and XML. A Web page can contain code that establishes a network connection back to a server and conducts a conversation with that server that might bypass any number of security mechanisms integrated into the browser. The growing popularity of AJAX as a user-interface technique means an enterprise network often allows these connections, so that popular sites can function correctly.
  • 6. Ajax is built on Dynamic HTML (DHTML) technologies, including these most common ones:  JavaScript: JavaScript is a scripting language commonly used in client-slide Web applications.  Document Object Model (DOM): DOM is a standard object model for representing HTML or XML documents. Most of today’s browsers support DOM and allow JavaScript code to read and modify the HTML content dynamically.  Cascading Style Sheets (CSS): CSS is a stylesheet language used to describe the presentation of HTML documents. JavaScript can modify the stylesheet at run time, allowing the presentation of the Web page to update dynamically.  XMLHttpRequest: XMLHttpRequest is an API that allows client-side JavaScript to make HTTP connections to remote servers and to exchange data, such as plain text, XML, or JavaScript Serialized Object Notation (JSON).  JSON: JSON, as proposed in Request for Comments (RFC) 4627, is a lightweight, textbased, language- independent, data-interchange format.
  • 7. Advantages of Browser security 1.It is easier and cheaper to make a web-based system user friendly across more platfrome and screen sizes because it is one system that adapts to the screen. 2. Employees can work from different offices,a client's site,a hotel or even from home. 3. Your company could impress clients with a modern web portal and improve customer service with an automated process. 4. As everyone accesses the same web app via the same URL,the content will always be up to date. Disadvantages of Browser security 1.If your internet connection gose down or you are in an area that cannot connect,you will not be able to access a web. 2. Data may be less secure in the cloud,but protective measures like email encryption and SSL enforcement can be installed. 3. Different people have different browser preferences so you will need to check your application is congruent between browser.
  • 8. THREATS Threat is an indication of impending danger or harm. Today's attackers are more likely to host their malicious files on the web. They may even update those files constantly using automated tools. Types of Threats  Zero-day exploit A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others, undisclosed to the software vendor, or for which no security fix is available. Zero- day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software vendor knows about the vulnerability. The term derives from the age of the exploit. When a vendor becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A "zero day" attack occurs on or before the first or "zeroth" day of vendor awareness, meaning the vendor has not had any opportunity to disseminate a security fix to users of the software. (In computer science, numbering often starts at zero instead of one.)
  • 9. Cross-site Scripting (XSS) XSS is a common attack in which an attacker injects a malicious piece of code into an otherwise benign site. The two basic types of XSS attacks are:  Reflected XSS  Stored XSS A reflected XSS attack exploits vulnerable Web applications that display input parameters back to the browser without checking for the presence of active content in them. Typically, an attacker lures victims into clicking on the URL, as shown below. Cross-site reference forgery Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF ("sea- surf") or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
  • 10. … FIGURE 2: EXAMPLE OF A CSRF HOLE IN COMMERCIAL BANKING SOFTWARE THE ATTACK WORKS BY INCLUDING A LINK OR SCRIPT IN A PAGE THAT ACCESSES A SITE TO WHICH THE USER IS KNOWN (OR IS SUPPOSED) TO HAVE AUTHENTICATED. FOR EXAMPLE, ONE USER, BOB, MIGHT BE BROWSING A CHAT FORUM WHERE ANOTHER USER, MALLORY, HAS POSTED A MESSAGE.
  • 11. PHISHING  Phishing Techniques: Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.  Link manipulation : Most methods of phishing use some form of technical deception designed to make a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. phishing) section of the example website. Another common trick is to make the anchor text for a link appear to be valid, when the link actually goes to the phishers' site. The following example link, http://en.wikipedia.org/wiki/Genuine, appears to take you to an article entitled "Genuine"; clicking on it will in fact take you to the article entitled "Deception".  Filter evasion: Phishers have used images instead of text to make it harder for antiphishing filters to detect text commonly used in phishing e-mails.
  • 12. HOW DO WE KNOW?  Phishers, pretending to be legitimate companies, may use email to request personal information and direct recipients to respond through malicious web sites  Phishers tend to use emotional language using scare tactics or urgent requests to entice recipients to respond  The phish sites can look remarkably like legitimate sites because they tend to use the copyrighted images from legitimate sites  Requests for confidential information via email or Instant Message tend to not be legitimate  Fraudulent messages are often not personalized and may share similar properties like details in the header and footer
  • 13. COOKIES A cookie (also tracking cookie, browser cookie, and HTTP cookie) is a small piece of text stored on a user's computer by a web browser. A cookie consists of one or more name-value pairs containing bits of information such as user preferences, shopping cart contents, the identifier for a server- based session, or other data used by websites.  Figure 4: Setting a cookie
  • 14. USES OF COOKIES  Session management Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits.  Personalization: Many websites use cookies for personalization based on users' preferences. Users select their preferences by entering them in a web form and submitting the form to the server. Variations • Session cookies – Session cookies are stored on you hard drive only during the time that you are at a particular site. They are automatically deleted when you terminate your session. • Persistent cookies – Persistent cookies store on your personal preferences on your computer for an extended period of time. • Third-party cookies -- Images or other objects contained in a Web page may reside in servers different from the one holding the page.
  • 15. SECURITY VERSUS USABILITY Usability and security have long been at odds with each other in software design The browser is no exception to that rule. When browsing the Web or downloading files the user constantly needs to make choices about whether to trust a site or the content accessed from that site. Browser approaches to this have evolved over time—for example, browsers used to give a slight warning if you accessed a site with an invalid HTTPS certificate; now most browsers block sites with invalid certificates and make the user figure out how to unblock them. Similar approaches are taken with file downloads. Internet Explorer tends to ask the user several times before opening a downloaded file, especially if the file is not signed. Prompting the user for actions that are legitimate most of the time often creates user fatigue, which makes the user careless in walking the tightrope between software with a “reasonable but not excessive” security posture and a package that is either too open for safety or too closed to be useful. Most browsers today have evolved from the “make the user make the choice” model to the “block and require explicit override action” model.
  • 16. SECURITY IMPLEMENTATIONS AND BROWSERS SSL is the protocol between two points, usually browser and server. The weaknesses in the system usually are due to the browser, not the protocol. The cookie (incident) has nothing to do with SSL. The cookie is something that is associated with an HTTP session--it's actually a Web standard. The cookie idea was invented to make sure that you can have a long session on the Web, before SSL (came into the picture). CONCLUSION Browsers are at the heart of the Internet experience, and as such they are also at the heart of many of the security problems that plague users and developers alike. As the sensitivity of internet usage increased concerns about security, fraud and attacks became important. There are limits to what a browser developer can compensate for, and browser users will not always accept the constraints of security that a browser establishes. Attack and defense strategies are coevolving, as are the use and threat models.