Topic 5  Web

Browser
Security
LEARNING OUTCOMES
By the end of this topic, you should be able to:
1. Identify web browser features and risks;
2. Discuss the functions of cookies;
3. Describe how http used cookies; and
4. Explain clientăside programming language.

 INTRODUCTION
A browser is a program that lets you surf the web. Currently the most popular
browsers are Microsoft Internet Explorer and Netscape Navigator. A browser
runs on your computer. When you type in a URL or click a link, your browser
sends a request to the remote server specified in URL. For example, if you surf to
www.matri.edu.my your browser will send a request to MATRI web server. The
web server will send back a reply ă usually a web page. So, you must secure your
web browser because web browsers are used so frequently. Sometimes, the web
browser that comes with an operating system is not set up in a secure default
configuration. Not securing your web browser can quickly lead to a variety of
computer problems caused by anything from spyware being installed without
your knowledge to intruders taking control of your computer. There are some
software features that provide functionality to a web browser, such as ActiveX,
Java, Scripting Java Script and VBScript. All this features can secure your web
browsers and minimise the chances that a vulnerability in a web browser,
website, or related software can be used to compromise sensitive information.
 TOPIC 5 WEB BROWSER SECURITY  61

5.1 WEB BROWSER FEATURES AND RISKS

Today, web browsers such as Internet Explorer, Mozilla Firefox, and Apple Safari
(to name a few), are installed on almost all computers. Since web browsers are
used so frequently, it is vital to configure them securely. Often, the web browser
that comes with an operating system is not set up in a secure default
configuration. Not securing your web browser can lead quickly to a variety of
computer problems caused by anything from spyware being installed without
your knowledge to intruders taking control of your computer.

It is important to understand the functionality and features of the web browser.

Enabling some web browser features may lower security. Often, webmasters will
enable features by default to improve the computing experience, but these
features may end up increasing the risk to the computer (refer to Figure 5.1
and 5.2).

Figure. 5.1: Web browser communicating to a website

62  TOPIC 5 WEB BROWSER SECURITY

Figure. 5.2: Flow Chart of CGI Applications

Attackers focus on exploiting client-side systems (the computer) through various

vulnerabilities. They use these vulnerabilities to take control of the computer,
steal information, destroy files and use computer to attack other computers. A
low-cost way attackers do this is by exploiting vulnerabilities in web browsers.
An attacker can create a malicious web page that will install Trojan software or
spyware that will steal information. Rather than actively targeting and attacking
vulnerable systems, a malicious website can passively compromise systems as
the site is visited. A malicious HTML document can also be e-mailed to victims.
In these cases, the act of opening the e-mail or attachment can compromise the
system. Figure 5.3 shows an application using browser engine.
 TOPIC 5 WEB BROWSER SECURITY  63

Figure. 5.3: Applications using Browser engine

Some specific web browser features and associated risks are briefly described
below. Understanding what different features do will help you understand how
they affect your web browserÊs functionality and the security of your computer.
 Plug-ins can contain programming flaws such as buffer overflows, or they
may contain design flaws such as cross-domain violations, which arises when
the same origin policy is not followed.
 Cookies are files placed on your system to store data for specific websites. A
cookie can contain any information that a website is designed to place in it.
Cookies may contain information about the sites you visited, or may even
contain credentials for accessing the site. Cookies are designed to be readable
only by the website that created the cookie. Session cookies are cleared when
the browser is closed, and persistent cookies will remain on the computer
until the specified expiration date is reached. Cookies can be used to uniquely
identify visitors of a website, which some people consider a violation of
privacy. If a website uses cookies for authentication, then an attacker may be
able to acquire unauthorised access to that site by obtaining the cookie.
Persistent cookies pose a higher risk than session cookies because they
remain on the computer longer.
64  TOPIC 5 WEB BROWSER SECURITY

 ActiveX is a technology used by Microsoft Internet Explorer on Microsoft

Windows systems that allows applications or parts of applications to be
utilised by the web browser. A web page can use ActiveX components that
may already reside on a Windows system, or a site may provide the
component as a downloadable object. This gives extra functionality to
traditional web browsing, but may also introduce more severe vulnerabilities
if not properly implemented. However, the problem with using ActiveX in a
web browser is that it greatly increases the attack surface, or „attackability,‰
of a system. (Dormann & Rafail, 2006)
 Java is an object-oriented programming language that can be used to build up
active content for websites. A Java Virtual Machine (JVM) is used to execute
the Java code (applet) provided by the website. Some operating systems come
with a JVM, while others require a JVM to be installed earlier than Java can
be used. Java applets are operating system independent. Java applets
generally execute within a „sandbox„ where the interaction with the rest of
the system is limited. However, various implementations of the JVM contain
vulnerabilities that allow an applet to bypass these restrictions. Signed Java
applets can also go around sandbox limitations, but they generally prompt
the user before they can execute. (Dormann & Rafail, 2006)
 JavaScript or ECMAScript is a scripting language that is used to make
websites more interactive. There are specifications in the JavaScript standard
that restrict certain features likes accessing local files. (Dormann & Rafail,
2006)
 VBScript is another scripting language that is unique to Microsoft Windows
Internet Explorer. VBScript is similar to JavaScript, but it is not as widely
used in websites because of limited compatibility with other browsers.
(Dormann & Rafail, 2006)

ACTIVITY 5.1
Discuss web features and risks.
 TOPIC 5 WEB BROWSER SECURITY  65

5.2 INFORMATION LEAKAGE VIA HTTP

Information Leakage is when a website reveals sensitive data, such as developer
comments or error messages, which may aid an attacker in exploiting the system.
Sensitive information may be present within HTML comments, error messages,
source code or simply left in plain sight. There are many ways a website can be
coaxed into revealing this type of information. While leakage does not
necessarily represent a breach in security, it does give an attacker useful
guidance for future exploitation. Leakage of sensitive information may carry
various levels of risk and should be limited whenever possible.

In the first case of information leakage (comments left in the code, verbose error
messages, etc.), the leak may give intelligence to the attacker with contextual
information of directory structure, SQL query structure, and the names of key
processes used by the website. Often a developer will leave comments in the
HTML and script code to help facilitate in debugging or integration. This
information can range from simple comments detailing how the script works, to
usernames and passwords used during the testing phase of development.

There are many ways that confidential or private data can leave a corporate
network. Users may copy files to their laptops to take work home with them.
Employees may burn data to CDÊs or DVDÊs, or copy data to portable storage
such as USB thumb drives, handphones, digital cameras or MP3 players. Data
can be intentionally or inadvertently sent out of the network via e-mail.
Protecting against information leakage is not a simple task. Attackers are now
focusing on web applications, which are allowed through firewalls. Application
level attacks, not perimeter breaches, are todayÊs weak link and the most
fashionable by the hacker elite. Attackers are now focusing on web applications
which are allowed through firewalls. Application level attacks, not perimeter
breaches, are todayÊs weak link and the most fashionable by the elite hackers.

One area that can be particularly troublesome is securing web servers and
ensuring that sensitive internal data is not available via the Web. Web servers
tend to be at the network perimeter and connect with the external Internet. They
provide a direct gateway for external attackers to gather information about the
internal network and possibly even acquire actual files and data that were meant
for internal company eyes only.
66  TOPIC 5 WEB BROWSER SECURITY

5.2.1 Performing Web Data Leakage Risk Assessment

With the help of web search engines, such as Google, it is possible to very quickly
locate unprotected data of a sensitive or confidential nature. The same tools and
techniques that would-be attackers can use to gather information about network
and find vulnerable files and data can also use to preemptively discover the weak
points in web security and make sure that any such data is properly protected.
There are excessive of specific search statements that can be used to target
specific data or file types that might contain confidential or private information.

5.2.2 Impact of Information Leakage

Until recently, the primary focus of network security was to guard the perimeter
and keep the bad stuff out. Firewalls were employed to segregate the internal
network from the external network and prevent unauthorised network traffic or
potentially malicious content from penetrating into the corporate network.
Anti-virus, anti-spam and other technologies were deployed on e-mail gateways
and other perimeter-facing servers to monitor and block potentially malicious
content from entering the network. It was assumed, in many cases, that any data
on the internal network was safe and that there was no need to monitor or block
data on its way out. Information security has matured in many ways though.
Technologies such as firewalls and anti-virus applications have become
commoditised.

5.2.3 Preventing Information Leakage through the

Web
A web server, by virtue of its function, is typically accessible to external users.
However, based on standard practices and security recommendations, data
should not be housed on the web server itself. The web server simply acts as an
intermediary to accept and direct requests for information.

ACTIVITY 5.2
Discuss the web leakage through HTTP.
 TOPIC 5 WEB BROWSER SECURITY  67

5.3 COOKIES
HTTP cookies, more commonly referred to as web cookies or just cookies, are
parcels of text sent by a server to a web browser and then sent back unchanged
by the browser each time it accesses that server. HTTP cookies are used for
authenticating, tracking and maintaining specific information about users, such
as site preferences or the contents of their electronic shopping carts. The term
„cookie‰ is derived from „magic cookie,‰ a well-known concept in UNIX
computing which inspired both the idea and the name of HTTP cookies.

Cookies have been of concern for Internet privacy, since they can be used for
tracking browsing behaviour. As a result, they have been subject to legislation in
various countries such as United States and European Union. Cookies have been
also been criticised because of providing inaccurate identification of users and
because they could potentially be a target of network attackers. There are some
alternatives to exist the cookies, but each has its own uses, advantages and
drawbacks.

Cookies are also subject to a number of misconceptions, mostly based on the

erroneous notion that they are computer programs. In fact, cookies are simple
pieces of data unable to perform any operation by themselves. In particular, they
are neither spyware nor viruses, despite the detection of cookies from certain
sites by many anti-spyware products.

Most modern browsers allow users to decide whether to accept cookies, but
rejection makes some websites unusable. For example, shopping baskets
implemented using cookies do not work if cookies are rejected.

5.3.1 History of Cookies

The term „HTTP cookie‰ is derived from „magic cookie‰, a packet of data a
program receives but only uses for sending it again, possibly unchanged to its
origin. Magic cookies were already used in computing when Lou Montulli had
the idea of using them in web communications in June 1994. At the time, he
was an employee of Netscape Communications, which was developing the
application of e-commerce for a customer. Cookies provided a solution to the
problem of reliably implementing a virtual shopping cart.

Together with John Giannandrea, Montulli wrote the initial Netscape cookie
specification the same year. Version 0.9 beta of Mosaic Netscape, released on
October 13, 1994, supported cookies. The first actual use of cookies was made for
checking whether visitors to the Netscape website had already visited the site.
Montulli applied for a patent for the cookie technology in 1995; it was granted in
68  TOPIC 5 WEB BROWSER SECURITY

1998. Support for cookies was integrated in Internet Explorer in version 2,

released in October 1995.

The introduction of cookies was not widely known to the public, at that time. In
particular, cookies were accepted by default, and users were not notified of the
presence of cookies. Some people were aware of the existence of cookies as early
as the first quarter of 1995, but the general public learned about them after the
Financial Times published an article about them on February 12, 1996. In the
same year, cookies received lot of media attention, especially because of potential
privacy implications. Cookies were discussed in two U.S. Federal Trade
Commission hearings in 1996 and 1997.

The development of the formal cookie specifications was already ongoing. In

particular, the first discussions about a formal specification started in April 1995
on the www-talk mailing list. A special working group within the IETF was
formed. Two alternative proposals for introducing a state in an HTTP transaction
had been proposed by Brian Behlendorf and David Kristol, respectively, but the
group, headed by Kristol himself, soon decided to use the Netscape specification
as a starting point. On February 1996, the working group identified third-party
cookies as a considerable privacy threat. The specification produced by the group
was eventually published as RFC 2109 in February 1997. It specifies that third-
party cookies were either not allowed at all, or at least not enabled by default.

At that time, advertising companies were already using third-party cookies. The
recommendation about third-party cookies of RFC 2109 was not followed by
Netscape and Internet Explorer. RFC 2109 was followed by RFC 2965 in October
2000.

5.3.2 Purpose of Cookies

The main purpose of cookies is to identify users and possibly prepare customised
web pages for them. When entering a website using cookies, you may be asked to
fill out a form providing such information as your name and interests. This
information is packaged into a cookie and sent to your web browser which stores
it for later use. The next time you go to the same website, your browser will send
the cookie to the web server. The server can use this information to present you
with custom web pages. So, for example, instead of seeing just a generic welcome
page you might see a welcome page with your name on it.

HTTP cookies are used by web servers to differentiate users and to maintain data
related to the user during navigation, possibly across multiple visits. HTTP
cookies were introduced to provide a way for realising a „shopping cart‰
(or „shopping basket‰), a virtual device into which the user can „place‰ items to
 TOPIC 5 WEB BROWSER SECURITY  69

purchase, so that users can navigate a site where items are shown, adding or
removing items from the shopping basket at any time.

Allowing users to log in to a website is another use of cookies. Users typically log
in by inserting their credentials into a login page; cookies allow the server to
know that the user is already authenticated, and therefore is allowed to access
services or perform operations that are restricted to logged-in users.

Many websites also use cookies for personalisation based on usersÊ preferences.
Sites that require authentication often use this feature, although it is also present
on sites not requiring authentication. Personalisation includes presentation and
functionality. For example, the Google search engine allows users to decide how
many search results per page they want to see.

Cookies are also used to track users across a website. Third-party cookies and
web bugs, explained below, also allow for tracking across multiple sites.
Tracking within a site is typically done with the aim of producing usage
statistics, while tracking across sites is typically used by advertising companies to
produce anonymous user profiles, which are then used to target advertising
(deciding which advertising image to show) based on the user profile.

As a result, Cookies Storing a userÊs identity and the pages downloaded as well
as the services used allows a web server to establish an individual user profile
that can be used for transferring specific information or advertisements to the
user. It is also cannot transmit viruses. A web server cannot infiltrate your hard
drive; it can only make your browser store the relevant cookie file. A cookie can
include your e-mail address only if you entered your address in an online form
while visiting that site. Only then the web server can identify the userÊs address
at a later visit. The information stored in a cookie can be transferred only to web
servers that were authorised when the cookie was established by registration of
the Internet domain and the URL path. While clicking on the link to this website,
the browser compares the links URL path with the entries in the cookie. If the
data match, the browser will send the cookie together with the request for that
web page to the relevant web server. That way it can assure that no other server
may get access to the cookie. (1999)

5.3.3 Browser Settings for Cookies

Cookies do not act maliciously on computer systems. They are merely text files
that can be deleted at any time ă they are neither plug-ins nor programs. Cookies
cannot be used to spread viruses and they cannot access your hard drive. This
does not mean that cookies are not relevant to a userÊs privacy and anonymity on
the Internet. Cookies cannot read your hard drive to find out information about
you; however, any personal information that you give to a website, will most
70  TOPIC 5 WEB BROWSER SECURITY

likely be stored in a cookie. In only this way are cookies a threat to your privacy.
The cookie will not contain information that you freely provide to a website.

Most modern browsers support cookies. However, a user can usually also choose
whether cookies should be used or not. The following are common options:
(a) To enable or disable cookies completely, so that they are always accepted or
always blocked.
(b) To prompt users for individual cookies and remembering their answers.
(c) To distinguish between first-party and third-party cookies and treat each
group accordingly.
(d) To treat cookies based on a white list or a black list, updated by user or the
browser manufacturer.
(e) To put a reasonable cap on the expiry date and time of cookies.
(f) To treat cookies based on their P3P privacy policies if they have any.

The browser may include the possibility of better specifying which cookies have
to be accepted or not. In particular, the user can typically choose one or more of
the following options: reject cookies from specific domains, disallow third-party
cookies, accept cookies as non-persistent (expiring when the browser is closed)
and allow a server to set cookies for a different domain. Additionally, browsers
may also allow users to view and delete individual cookies.

Most browsers supporting JavaScript allow the user to see the cookies that are
active with respect to a given page by typing javascript:alert(“Cookies:
“+document.cookie) in the browser URL field. Some browsers incorporate a
cookie manager for the user to see and selectively delete the cookies currently
stored in the browser.

Are cookies bad? Cookies do not act maliciously on computer systems. They are
merely text files that can be deleted at any time ă they are not plug-ins or
programs. It cannot be used to spread viruses and they cannot access your hard
drive. This does not mean that cookies are not relevant to a userÊs privacy and
anonymity on the Internet. Cookies cannot read your hard drive to find out
information about you; however, any personal information that you give to a
website, will most likely be stored in a cookie. In only this way are cookies a
threat to privacy. The cookie will only contain information that you freely
provide to a website.

How to delete or disable cookies? There are some ways to delete and to enable
the cookies. If you are facing problems accessing websites, there may be
corrupted cookies in which case you will need to delete the cookies on your
 TOPIC 5 WEB BROWSER SECURITY  71

computer. It is recommended that you also clear your web browserÊs temporary
files. However, to delete your cookies, you need to follow the instruction based
on your web browser version. As an example, there are a few step as shown
below if you want to delete your cookies from the Internet Explorer 5 and 6:

(a) To delete all the cookies:

(i) Open the Internet Explorer, then click on Tools and choose Internet
Options;
(ii) Click the Delete Cookies button; and
(iii) Click OK.

(b) To delete certain cookies:

(i) Open the Internet Explorer, click on Tools and choose Internet
Options.
(ii) Click on the Settings button.
(iii) Click on the View Files button.
(iv) Click on the View Menu and select Details.
(v) Click the Internet Address column header to sort, and then locate
the Internet addresses of the cookie files. For example, a cookie
Internet address may be named similar to the following:
Cookie:user@websitename.com
(vi) Highlight the cookies you wish to delete, and then click on the Delete
key.

There are more ways to delete cookies especially for other versions of your web
browser such as Macintosh Internet Explorer, Windows Netscape, Macintosh
Netscape, Opera for Macintosh and for Windows and also Mozilla.

How to enable cookies? Websites, like myExpedient.net and others requires

cookies to be enabled. To specify how your browser should handle cookies,
follow the instructions below for your web browser version:
(i) Select the Internet Options from the View menu.
(ii) Click on the advanced tab and scroll down to the Security option, and select
Cookies.
(iii) Click on the appropriate radio button to enable cookies.
(iv) Click OK.
72  TOPIC 5 WEB BROWSER SECURITY

ACTIVITY 5.3
(a) Find out if cookies are an advantage or disadvatage to web
browser.
(b) What are the steps in ensuring cokies are safe for browser?

5.4 CLIENT-SIDE PROGRAMMING LANGUAGE

Client-side scripting generally refers to the class of computer programs on the
web that are executed client-side by the userÊs web browser instead of server-side
(on the web server). This type of computer programming is an important part
of the Dynamic HTML (DHTML) concept, enabling web pages to be scripted,
that is, to have different and changing content depending on user input,
environmental conditions (such as the time of day), or other variables. Web
authors write client-side scripts in languages such as JavaScript (Client-side
JavaScript) and VBScript.

Client-side scripts are often embedded within an HTML document, but they may
also be contained in a separate file which is referenced by the document(s) that
use it. Upon request, the necessary files are sent to the userÊs computer by the
web server (or servers) on whom they reside. The userÊs web browser executes
the script, and then displays the document, including any visible output from the
script. Client-side scripts may also contain instructions for the browser to follow
if the user interacts with the document in a certain way e.g. clicks a certain
button. These instructions can be followed without further communication with
the server though they may require such communication.

Client-side scripts have greater access to the information and functions available
on the userÊs browser, whereas server-side scripts have greater access to the
information and functions available on the server. Server-side scripts need their
languageÊs interpreter installed on the server, and produce the same output
regardless of the clientÊs browser, operating system, or other system details.
Client-side scripts do not need additional software on the server (making them
popular with authors who lack administrative access to their servers); however,
they do need the userÊs web browser to understand the scripting language in
which they are written. It is therefore impractical for an author to write scripts in
a language that is not supported by the web browsers used by a majority of his or
her audience.
 TOPIC 5 WEB BROWSER SECURITY  73

Due to security restrictions, client-side scripts may not be allowed to access the
usersÊ computer beyond the browser application. Techniques like ActiveX
controls can be used to sidestep this restriction. Unfortunately, even languages
that are supported by a wide variety of browsers may not be implemented in
precisely the same way across all browsers and operating systems. Authors are
well-advised to review the behaviour of their client-side scripts on a variety of
platforms before they put them into use.

5.5 PLUG-INS AND HELPER

Plug-ins are programs that are integrated into your browser application, usually
providing additional functionality. Plug-in also known as add-ons or extensions.

Internet Explorer browser is developed so that its behaviour can be changed and
its features can be improved by other programs in several ways. Internet
Explorer does not have variety of functions, but the browser can be effectively
extended and customised via IE plug-ins ă different programs that add new
features to web browser more productive and suitable for specific personal or
business needs.

Internet Explorer (IE) plug-ins help to extend and customise Internet Explorer
browser to make it more suitable to the way people use web resources. IE plug-in
lets add specific features to browser to adapt Internet Explorer environment to
userÊs needs. Whether you are Internet resources consumer or provider, you can
use IE plug-ins to make your or your customersÊ IE browser more productive, IE
interface handler and Web using process more perfect and convenient.

IE plug-ins vary depending on their purposes. They can serve, e.g., for security,
time saving or entertainment needs while user is surfing the Web. Security IE
plug-ins help to control your web browsing process which is to prevent unsafe or
unwanted content (ad pop-ups, spam, viruses, certain websites access and etc.)
and protect your privacy (from identity stealing, tracking your online
activity, etc.).

Websites or online communities can provide their customers with a branded

toolbar or sidebar with custom buttons, menus, auto-login, search boxes and
other features for easier access to their website content or their services delivery.
Customers can be closer tied with the website resources they utilise. IE plug-ins
can provide not only direct access to the certain web page, but also specific
functionality to fulfil the tasks from IE browser or deliver web content or web
services directly via IE browser user interface.
74  TOPIC 5 WEB BROWSER SECURITY

Websites can also provide their customers with constant support via online alerts
delivered with help of IE plug-in integrated in customersÊ browsers. Besides
features tied to the website, other helpful services can be added to Internet
Explorer interface such as access to the news, mail, financial or other info, text
highlight, images or windows zoom in and out, Google search and more.

Still, there may be problems that occur. For example, some browsers use the
same plug-in or the plug-in requires the higher version of web browser. In a
normal situation, when an Active-X plug-in is needed, there will be a display of
an Active-X at the top of the browser. Without the plug-in, you might not view
the page or page cannot be display at all.

ACTIVITY 5.4
(a) How does client-side programming language affect the user web
browser?
(b) What is plug-in?

Ć Web browser features and risks are things we need to consider in web
browser security.
Ć Information leakage through http can be vulnerable.
Ć Cookies are used for authentication, tracking and maintaining specific
information.
Ć Client-side programming language (script) are scripts executed on the client
side.

Client-side Plug-in
Cookies Web Browser
Http
 TOPIC 5 WEB BROWSER SECURITY  75

Friedl. S. (2004). An illustrated guide to cryptographic hashes. Retrieved March

12, 2008 from Steve FriedlÊs website http://unixwiz.net/techtips/iguide-
crypto-hashes.html

Henry Chan, Raymond Lee, Tharam Dillon, & Elizabeth Chang. (2002).
E-commerce: Fundamentals and Applications. John Wiley.
Jenkins, B. (n.d.). Hash functions and block cipher. Retrieved February 28, 2008
from Bob JenkinsÊ website: http://burtleburtle.net/bob/hash/index.html

Kaufeld, J., & Harvey, T. (2005). Developing eBay business tools for dummies.
John Wiley.

Three types of encryption. Retrieved March 13, 2008 from

http://www.webopedia.com
Hashing. (n.d.). Retrieved March 14, 2008 from http://www.webopedia.com