Did you ever wonder how browsers work under the hood, how they process information? If you do any kind of security research or technical analysis, the answer is yes. However, there aren't too many single resources which contain this information on all popular browsers. One which stands out, however, is Google's Browser Security Handbook.
This free handbook covers security challenges for all currently used browsers, as listed in Table 1.
The information is divided into three parts:
- Basic Concepts behind Web browsers
- Standard browser security features
- Experimental and legacy security mechanisms
In addition to general security information, you can download the test cases used to put the document together. Test scenarios were developed to ascertain how secure each browser is, given a specific set of conditions. For example, the test results for same-origin policy for cookies are shown in Figure 1.
This manual isn't for everyone. It's written to provide a deep understanding of how each browser responds within a certain attack or general use context. However, here are some suggestions for why you might want to wade through this information, even if you aren't a fulltime security researcher:
- Developers can get a better understanding of how their secure coding practices actually impact the greatest number of users
- Security managers can determine which browsers to allow and which to block when unfiltered browsing is necessary
- Penetration testers might use these results to develop more comprehensive test scenarios
- Security managers can gain a better understanding of potential attack vectors, enabling them to implement additional control layers to prevent, detect, and respond to browser exploits
- Distilling this information into an executive overview might help make the case for Web filtering technology, eliminating local admin access for business users, or limiting browsing to one or two browsers for which security has applied necessary supporting safeguards
- We can all use the results to beat on our favorite (or not so favorite) browser vendors so we might someday get at least one browser which passes all reasonable safe behavior tests
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.