Browser security

{{Short description|Application of internet security to web browsers}}

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities (security holes) that are commonly exploited in all browsers.

History

The first web browser, WorldWideWeb, created in 1990 by Sir Tim Berners-Lee, was rudimentary, using the HTTP protocol to navigate between documents. The Mosaic web browser, released in April 1993, featured a graphical user interface that made the Web more accessible, sparking the Internet boom of the 1990s. This boom led to the browser wars between Netscape Navigator, developed by Mosaic's creators, and Microsoft's Internet Explorer. This fierce competition was characterized by a rapid race to incorporate new features, often at the expense of user privacy and security.{{cite thesis |last=Franken |first=Gertjan |title=Security and Privacy Policy Bugs in Browser Engines |date=13 February 2024 |url=https://lirias.kuleuven.be/4131122&lang=en |pages=3,4}}{{cite web |last1=Heiderich |first1=Mario |last2=Inführ |first2=Alex |last3=Fäßler |first3=Fabian |last4=Krein |first4=Nikolai |last5=Kinugawa |first5=Masato |date=29 November 2017 |title=Cure53 Browser Security White Paper |url=https://cure53.de/browser-security-whitepaper.pdf |publisher=Cure53 |page=9}} Features were added to HTML to support interoperability with proprietary systems like VBScript and Java applets, and vendors aimed to ensure their browsers could handle websites optimized for competitor. This led to increasingly convoluted set of undocumented hacks and fault tolerant architectures that were often hard to standardize due to competing interests.{{Cite book |last=Zalewski |first=Michal |url=https://www.google.com/books/edition/The_Tangled_Web/6sxNzyRmxE4C |title=The Tangled Web: A Guide to Securing Modern Web Applications |date=2011-11-15 |publisher=No Starch Press |isbn=978-1-59327-417-7 |pages=10–12 |language=en}} After the end of this period, colloquially known as the first browser war, Internet Explorer captured over 80% of the market. However, despite being in this dominant position, Microsoft, the creator of Internet Explorer did not invest significantly into the browser after this period.{{Cite web |last=Cunningham |first=Andrew |date=2022-06-15 |title=Internet Explorer was once synonymous with the Internet, but today it’s gone for good |url=https://arstechnica.com/gadgets/2022/06/remembering-internet-explorer-the-now-dead-browser-that-once-powered-the-internet/ |access-date=2025-01-13 |website=Ars Technica |language=en-US}} This led to the proliferation of security issues, browser vulnerabilities and web worms leading eventually to the creation of modern browsers like Mozilla Firefox, Safari and eventually Google Chrome.

Security

Web browsers can be breached in one or more of the following ways:

Operating system is breached and malware is reading/modifying the browser memory space in privilege mode{{cite web|last=Smith|first=Dave|title=The Yontoo Trojan: New Mac OS X Malware Infects Google Chrome, Firefox And Safari Browsers Via Adware|date=21 March 2013|url=http://www.ibtimes.com/yontoo-trojan-new-mac-os-x-malware-infects-google-chrome-firefox-safari-browsers-adware-1142969|publisher=IBT Media Inc|access-date=21 March 2013|url-status=live|archive-url=https://web.archive.org/web/20130324025727/http://www.ibtimes.com/yontoo-trojan-new-mac-os-x-malware-infects-google-chrome-firefox-safari-browsers-adware-1142969|archive-date=24 March 2013}}
Operating system has a malware running as a background process, which is reading/modifying the browser memory space in privileged mode
Main browser executable can be hacked
Browser components may be hacked
Browser plugins can be hacked
Browser network communications could be intercepted outside the machine{{cite web|last=Goodin|first=Dan|title=MySQL.com breach leaves visitors exposed to malware|website=The Register|url=https://www.theregister.co.uk/2011/09/26/mysql_hacked/|access-date=26 September 2011|url-status=live|archive-url=https://web.archive.org/web/20110928045543/http://www.theregister.co.uk/2011/09/26/mysql_hacked/|archive-date=28 September 2011}}

The browser may not be aware of any of the breaches above and may show the user a safe connection is made.

Whenever a browser communicates with a website, the website, as part of that communication, collects some information about the browser (in order to process the formatting of the page to be delivered, if nothing else).{{cite web | url=http://oreilly.com/catalog/httppr/chapter/http_pkt.html | title=HTTP Transactions | author=Clinton Wong | publisher=O'Reilly | archive-url=https://web.archive.org/web/20130613235658/http://oreilly.com/catalog/httppr/chapter/http_pkt.html | archive-date=13 June 2013 }} If malicious code has been inserted into the website's content, or in a worst-case scenario, if that website has been specifically designed to host malicious code, then vulnerabilities specific to a particular browser can allow this malicious code to run processes within the browser application in unintended ways (and remember, one of the bits of information that a website collects from a browser communication is the browser's identity- allowing specific vulnerabilities to be exploited).{{cite web | url=http://www.ebernieinc.com/9-ways-to-know-your-pc-is-infected-with-malware/ | title=9 Ways to Know Your PC is Infected with Malware | archive-url=https://web.archive.org/web/20131111192509/http://www.ebernieinc.com/9-ways-to-know-your-pc-is-infected-with-malware/ | archive-date=11 November 2013 }} Once an attacker is able to run processes on the visitor's machine, then exploiting known security vulnerabilities can allow the attacker to gain privileged access (if the browser isn't already running with privileged access) to the "infected" system in order to perform an even greater variety of malicious processes and activities on the machine or even the victim's whole network.{{cite web | url=http://www.symantec.com/security_response/whitepapers.jsp?inid=us_sr_flyout_publications_security | title=Symantec Security Response Whitepapers | url-status=dead | archive-url=https://web.archive.org/web/20130609070315/http://www.symantec.com/security_response/whitepapers.jsp?inid=us_sr_flyout_publications_security | archive-date=9 June 2013 }}

Breaches of web browser security are usually for the purpose of bypassing protections to display pop-up advertising{{cite web |url=https://addons.mozilla.org/firefox/addon/adblock-plus |title=Adblock Plus :: Add-ons for Firefox |author-link=Wladimir Palant |first=Wladimir |last=Palant |work=Mozilla Add-ons |publisher=Mozilla Foundation}} collecting personally identifiable information (PII) for either Internet marketing or identity theft, website tracking or web analytics about a user against their will using tools such as web bugs, Clickjacking, Likejacking (where Facebook's like button is targeted),{{cite news|url=https://www.cbc.ca/news/science/facebook-privacy-probed-over-like-invitations-1.968585|title=Facebook privacy probed over 'like,' invitations|date=23 September 2010|publisher=CBC News|access-date=24 August 2011|url-status=live|archive-url=https://web.archive.org/web/20120626205135/http://www.cbc.ca/news/technology/story/2010/09/23/facebook-like-invitations.html|archive-date=26 June 2012}}{{cite news|url=https://www.pcmag.com/article2/0,2817,2391440,00.asp|title=German Agencies Banned From Using Facebook, 'Like' Button|last=Albanesius|first=Chloe|date=19 August 2011|work=PC Magazine|access-date=24 August 2011|url-status=live|archive-url=https://web.archive.org/web/20120329043111/http://www.pcmag.com/article2/0,2817,2391440,00.asp |archive-date=29 March 2012}}{{cite news

|last = McCullagh

|first = Declan

|author-link = Declan McCullagh

|title = Facebook 'Like' button draws privacy scrutiny

|publisher = CNET News

|url = http://news.cnet.com/8301-13578_3-20006532-38.html

|date = 2 June 2010

|access-date = 19 December 2011

|url-status = live

|archive-url = https://web.archive.org/web/20111205014333/http://news.cnet.com/8301-13578_3-20006532-38.html

|archive-date = 5 December 2011

}}{{cite SSRN |ssrn=1717563 |title=Facebook Tracks and Traces Everyone: Like This!|last=Roosendaal|first=Arnold|date=30 November 2010}} HTTP cookies, zombie cookies or Flash cookies (Local Shared Objects or LSOs);{{cite web |title=BetterPrivacy :: Add-ons for Firefox |url=https://addons.mozilla.org/firefox/addon/betterprivacy |website=Mozilla Foundation}}{{Dead link|date=June 2019|bot=InternetArchiveBot|fix-attempted=yes}} installing adware, viruses, spyware such as Trojan horses (to gain access to users' personal computers via cracking) or other malware including online banking theft using man-in-the-browser attacks.

In depth study of vulnerabilities in Chromium web-browser indicates that, Improper Input Validation (CWE-20) and Improper Access Control (CWE-284) are the most occurring root causes for security vulnerabilities.{{Cite book|last1=Santos|first1=J. C. S.|last2=Peruma|first2=A.|last3=Mirakhorli|first3=M.|last4=Galstery|first4=M.|last5=Vidal|first5=J. V.|last6=Sejfia|first6=A.|title=2017 IEEE International Conference on Software Architecture (ICSA) |chapter=Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird |date=April 2017|chapter-url=https://www.researchgate.net/publication/317072830|pages=69–78|doi=10.1109/ICSA.2017.39|isbn=978-1-5090-5729-0|s2cid=29186731}} Furthermore, among vulnerabilities examined at the time of this study, 106 vulnerabilities occurred in Chromium because of reusing or importing vulnerable versions of third party libraries.

Vulnerabilities in the web browser software itself can be minimized by keeping browser software updated,{{cite web|url=http://itsecurity.vermont.gov/threats/web_attacks|title=Web Browser Attacks|author=State of Vermont|access-date=11 April 2012|archive-url=https://web.archive.org/web/20120213180056/http://itsecurity.vermont.gov/threats/web_attacks|archive-date=13 February 2012}} but will not be sufficient if the underlying operating system is compromised, for example, by a rootkit.{{cite web |url=https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf |title=Windows Rootkit Overview |publisher=Symantec |access-date=2013-04-20 |archive-url=https://web.archive.org/web/20130516120234/https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf |archive-date=16 May 2013 }} Some subcomponents of browsers such as scripting, add-ons, and cookies{{cite web|url=http://www.acunetix.com/websitesecurity/cross-site-scripting/|title=Cross Site Scripting Attack|access-date=20 May 2013|url-status=live|archive-url=https://web.archive.org/web/20130515154916/http://www.acunetix.com/websitesecurity/cross-site-scripting/|archive-date=15 May 2013}}{{cite web|url=http://blog.zeltser.com/post/2527547617/targeting-web-browser|title=Mitigating Attacks on the Web Browser and Add-Ons|author=Lenny Zeltser|access-date=20 May 2013|url-status=live|archive-url=https://web.archive.org/web/20130507092833/http://blog.zeltser.com/post/2527547617/targeting-web-browser|archive-date=7 May 2013}}{{cite web|url=https://arstechnica.com/security/2013/03/new-attacks-on-ssl-decrypt-authentication-cookies/|title=Two new attacks on SSL decrypt authentication cookies|author=Dan Goodin|date=14 March 2013|access-date=20 May 2013|url-status=live|archive-url=https://web.archive.org/web/20130515021000/http://arstechnica.com/security/2013/03/new-attacks-on-ssl-decrypt-authentication-cookies/|archive-date=15 May 2013}} are particularly vulnerable ("the confused deputy problem") and also need to be addressed.

Following the principle of defence in depth, a fully patched and correctly configured browser may not be sufficient to ensure that browser-related security issues cannot occur. For example, a rootkit can capture keystrokes while someone logs into a banking website, or carry out a man-in-the-middle attack by modifying network traffic to and from a web browser. DNS hijacking or DNS spoofing may be used to return false positives for mistyped website names, or to subvert search results for popular search engines. Malware such as RSPlug simply modifies a system's configuration to point at rogue DNS servers.

Browsers can use more secure methods of network communication to help prevent some of these attacks:

DNS: DNSSec and DNSCrypt, for example with non-default DNS servers such as Google Public DNS or OpenDNS.
HTTP: HTTP Secure and SPDY with digitally signed public key certificates or Extended Validation Certificates.

Perimeter defenses, typically through firewalls and the use of filtering proxy servers that block malicious websites and perform antivirus scans of any file downloads, are commonly implemented as a best practice in large organizations to block malicious network traffic before it reaches a browser.

The topic of browser security has grown to the point of spawning the creation of entire organizations, such as The Browser Exploitation Framework Project,{{cite web|url=http://beefproject.com/|title=beefproject.com|url-status=live|archive-url=https://web.archive.org/web/20110811035950/http://beefproject.com/ |archive-date=11 August 2011}} creating platforms to collect tools to breach browser security, ostensibly in order to test browsers and network systems for vulnerabilities.

=Plugins and extensions=

Although not part of the browser per se, browser plugins and extensions extend the attack surface, exposing vulnerabilities in Adobe Flash Player, Adobe (Acrobat) Reader, Java plugin, and ActiveX that are commonly exploited. Researchers{{Cite book|last1=Santos|first1=Joanna C. S.|last2=Sejfia|first2=Adriana|last3=Corrello|first3=Taylor|last4=Gadenkanahalli|first4=Smruthi|last5=Mirakhorli|first5=Mehdi|title=Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering |chapter=Achilles' heel of plug-and-Play software architectures: A grounded theory based approach |date=2019|chapter-url=https://www.researchgate.net/publication/334130422|series=ESEC/FSE 2019|location=New York, NY, US|publisher=ACM|pages=671–682|doi=10.1145/3338906.3338969|isbn=978-1-4503-5572-8|s2cid=199501995}} have extensively studied the security architecture of various web-browsers in particular those relying on plug-and-play designs. This study has identified 16 common vulnerability types, and 19 potential mitigations. Malware may also be implemented as a browser extension, such as a browser helper object in the case of Internet Explorer.{{cite web|url=http://www.symantec.com/business/support/index?page=content&id=TECH94965|title=How to Create a Rule That Will Block or Log Browser Helper Objects in Symantec Endpoint Protection|publisher=Symantec.com|access-date=12 April 2012|url-status=dead|archive-url=https://web.archive.org/web/20130514095634/http://www.symantec.com/business/support/index?page=content&id=TECH94965|archive-date=14 May 2013}} In various other exploits websites which were designed to look authentic and included rogue 'update Adobe Flash' popups designed as visual cues to download malware payloads in their place.{{cite news |last1=Aggarwal |first1=Varun |date=30 April 2021 |title=Breaking: Fake sites of 50 Indian News portals luring gullible readers |url=https://cio.economictimes.indiatimes.com/news/digital-security/breaking-fake-sites-of-50-indian-news-portals-luring-gullible-readers/82321192 |url-status=live |department= |work=The Economic Times CIO |publication-date=30 April 2021 |archive-url=https://web.archive.org/web/20230226142811/https://cio.economictimes.indiatimes.com/news/digital-security/breaking-fake-sites-of-50-indian-news-portals-luring-gullible-readers/82321192 |archive-date=26 February 2023 |access-date=26 February 2023 |url-access= }} Some browsers like Google Chrome and Mozilla Firefox can block—or warn users of—insecure plugins.

=Adobe Flash=

An August 2009 study by the Social Science Research Network found that 50% of websites using Flash were also employing Flash cookies, yet privacy policies rarely disclosed them, and user controls for privacy preferences were lacking.{{cite SSRN |ssrn=1446862|title=Soltani, Ashkan, Canty, Shannon, Mayo, Quentin, Thomas, Lauren and Hoofnagle, Chris Jay: Flash Cookies and Privacy |date=2009-08-10 |last1=Soltani|first1=Ashkan|last2=Canty|first2=Shannon|last3=Mayo|first3=Quentin|last4=Thomas|first4=Lauren|last5=Hoofnagle|first5=Chris Jay}} Most browsers' cache and history delete functions do not affect Flash Player's writing Local Shared Objects to its own cache, and the user community is much less aware of the existence and function of Flash cookies than HTTP cookies.{{cite web|url=http://epic.org/privacy/cookies/flash.html|title=Local Shared Objects -- "Flash Cookies"|publisher=Electronic Privacy Information Center|date=2005-07-21|access-date=2010-03-08| archive-url=https://web.archive.org/web/20100416041024/http://epic.org/privacy/cookies/flash.html| archive-date= 16 April 2010 | url-status= live}} Thus, users having deleted HTTP cookies and purged browser history files and caches may believe that they have purged all tracking data from their computers while in fact Flash browsing history remains. As well as manual removal, the BetterPrivacy add-on for Firefox can remove Flash cookies. Adblock Plus can be used to filter out specific threats and Flashblock can be used to give an option before allowing content on otherwise trusted sites.{{cite web |url=https://addons.mozilla.org/firefox/addon/flashblock |archive-url=https://archive.today/20130415090235/http://addons.mozilla.org/firefox/addon/flashblock |archive-date=2013-04-15 |title=Flashblock :: Add-ons for Firefox |author-link=Philip Chee |first=Philip |last=Chee |work=Mozilla Add-ons |publisher=Mozilla Foundation }}

Charlie Miller recommended "not to install Flash"{{cite web|url=http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/|title=Pwn2Own 2010: interview with Charlie Miller|date=2010-03-01|access-date=2010-03-27|archive-url=https://web.archive.org/web/20110424022058/http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/|archive-date=24 April 2011}} at the computer security conference CanSecWest. Several other security experts also recommend to either not install Adobe Flash Player or to block it.{{cite web|url=http://news.cnet.com/8301-27080_3-10396326-245.html|title=Expert says Adobe Flash policy is risky|date=2009-11-12|access-date=2010-03-27|url-status=live|archive-url=https://web.archive.org/web/20110426041823/http://news.cnet.com/8301-27080_3-10396326-245.html|archive-date=26 April 2011}}

Password security model

The contents of a web page are arbitrary and controlled by the entity owning the domain named displayed in the address bar. If HTTPS is used, then encryption is used to secure against attackers with access to the network from changing the page contents en route. When presented with a password field on a web page, a user is supposed to look at the address bar to determine whether the domain name in the address bar is the correct place to send the password.{{cite web|title=Browser Security Model|url=https://crypto.stanford.edu/cs155old/cs155-spring11/lectures/08-browser-sec-model.pdf|author=John C. Mitchell|url-status=live|archive-url=https://web.archive.org/web/20150620051731/http://crypto.stanford.edu/cs155old/cs155-spring11/lectures/08-browser-sec-model.pdf|archive-date=20 June 2015|author-link=John C. Mitchell}} For example, for Google's single sign-on system (used on e.g. YouTube.com), the user should always check that the address bar says "https://accounts.google.com" before inputting their password.

An un-compromised browser guarantees that the address bar is correct. This guarantee is one reason why browsers will generally display a warning when entering fullscreen mode, on top of where the address bar would normally be, so that a fullscreen website cannot make a fake browser user interface with a fake address bar.{{cite web|url=http://feross.org/html5-fullscreen-api-attack/|title=Using the HTML5 Fullscreen API for Phishing Attacks|website=feross.org|access-date=7 May 2018|url-status=live|archive-url=https://web.archive.org/web/20171225134343/https://feross.org/html5-fullscreen-api-attack/|archive-date=25 December 2017}}

Browser hardening

Browsing the Internet as a least-privilege user account (i.e. without administrator privileges) limits the ability of a security exploit in a web browser from compromising the whole operating system.{{ cite web | url = https://technet.microsoft.com/en-us/library/cc700846.aspx | title = Using a Least-Privileged User Account | date = 29 June 2009 | publisher = Microsoft | access-date = 2013-04-20 | url-status = live | archive-url = https://web.archive.org/web/20130306091913/http://technet.microsoft.com/en-us/library/cc700846.aspx | archive-date = 6 March 2013 }}

Internet Explorer 4 and later allows the blocklisting{{ cite web | url = http://support.microsoft.com/kb/240797/en-us | title = How to Stop an ActiveX control from running in Internet Explorer | publisher = Microsoft | access-date = 2014-11-22 | url-status = live | archive-url = https://web.archive.org/web/20141202224151/http://support.microsoft.com/kb/240797/en-us | archive-date = 2 December 2014 }}{{ cite web | url = https://support.microsoft.com/kb/182569/en-us | title = Internet Explorer security zones registry entries for advanced users | publisher = Microsoft | access-date = 2014-11-22 | url-status = live | archive-url = https://web.archive.org/web/20141202224143/https://support.microsoft.com/kb/182569/en-us | archive-date = 2 December 2014 }}{{ cite web | url = https://technet.microsoft.com/en-us/library/dn761713.aspx | title = Out-of-date ActiveX control blocking | publisher = Microsoft | access-date = 2014-11-22 | url-status = live | archive-url = https://web.archive.org/web/20141129121819/http://technet.microsoft.com/en-us/library/dn761713.aspx | archive-date = 29 November 2014 }} and allowlisting{{ cite web | url = https://technet.microsoft.com/en-us/library/cc737458.aspx | title = Internet Explorer Add-on Management and Crash Detection | date = 8 October 2009 | publisher = Microsoft | access-date = 2014-11-22 | url-status = live | archive-url = https://web.archive.org/web/20141129121822/http://technet.microsoft.com/en-us/library/cc737458.aspx | archive-date = 29 November 2014 }}{{ cite web | url = http://support.microsoft.com/kb/883256/en-us | title = How to Manage Internet Explorer Add-ons in Windows XP Service Pack 2 | publisher = Microsoft | access-date = 2014-11-22 | url-status = live | archive-url = https://web.archive.org/web/20141202192535/http://support.microsoft.com/kb/883256/en-us | archive-date = 2 December 2014 }} of ActiveX controls, add-ons and browser extensions in various ways.

Internet Explorer 7 added "protected mode", a technology that hardens the browser through the application of a security sandboxing feature of Windows Vista called Mandatory Integrity Control.{{cite web | url = http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf | title = Analysis of the Windows Vista Security Model | author = Matthew Conover | publisher = Symantec Corporation | access-date = 2007-10-08 | archive-url = https://web.archive.org/web/20080516053130/http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf | archive-date = 16 May 2008 }}

Google Chrome provides a sandbox to limit web page access to the operating system.{{ cite web | title = Browser Security: Lessons from Google Chrome | date = August 2009 | url = http://cacm.acm.org/magazines/2009/8/34494-browser-security/fulltext | url-status = live | archive-url = https://web.archive.org/web/20131111194250/http://cacm.acm.org/magazines/2009/8/34494-browser-security/fulltext | archive-date = 11 November 2013 }}

Suspected malware sites reported to Google,{{ cite web | url = https://www.google.com/safebrowsing/report_badware/ | title = Report malicious software (URL) to Google | url-status = live | archive-url = https://web.archive.org/web/20140912233915/https://www.google.com/safebrowsing/report_badware/ | archive-date = 12 September 2014 }} and confirmed by Google, are flagged as hosting malware in certain browsers.{{ cite web | url = https://www.google.com/transparencyreport/safebrowsing/?hl=en | title = Google Safe Browsing | url-status = live | archive-url = https://web.archive.org/web/20140914200617/http://www.google.com/transparencyreport/safebrowsing/?hl=en | archive-date = 14 September 2014 }}

There are third-party extensions and plugins available to harden even the latest browsers,{{ cite web | url = http://www.zonealarm.com/blog/2014/05/5-ways-to-secure-your-web-browser/ | title = 5 Ways to Secure Your Web Browser | date = 8 May 2014 | publisher = ZoneAlarm | url-status = live | archive-url = https://web.archive.org/web/20140907191153/http://www.zonealarm.com/blog/2014/05/5-ways-to-secure-your-web-browser/ | archive-date = 7 September 2014 }} and some for older browsers and operating systems. Whitelist-based software such as NoScript can block JavaScript and Adobe Flash which is used for most attacks on privacy, allowing users to choose only sites they know are safe – AdBlock Plus also uses whitelist ad filtering rules subscriptions, though both the software itself and the filtering list maintainers have come under controversy for by-default allowing some sites to pass the pre-set filters.{{ cite web | url = http://siliconfilter.com/adblock-plus-will-soon-block-fewer-ads-by-default-allow-non-intrusive-ads/ | title = Adblock Plus Will Soon Block Fewer Ads – SiliconFilter | date = 12 December 2011 | publisher = Siliconfilter.com | access-date = 2013-04-20 | url-status = live | archive-url = https://web.archive.org/web/20130130044410/http://siliconfilter.com/adblock-plus-will-soon-block-fewer-ads-by-default-allow-non-intrusive-ads/ | archive-date = 30 January 2013 }} The US-CERT recommends to block Flash using NoScript.{{cite web|url=http://www.us-cert.gov/reading_room/securing_browser/|title=Securing Your Web Browser|access-date=2010-03-27| archive-url=https://web.archive.org/web/20100326131333/http://www.us-cert.gov/reading_room/securing_browser/| archive-date= 26 March 2010 | url-status= live}}

Fuzzing

Modern web browsers undergo extensive fuzzing to uncover vulnerabilities. The Chromium code of Google Chrome is continuously fuzzed by the Chrome Security Team with 15,000 cores.{{cite web |last1=Sesterhenn |first1=Eric |last2=Wever |first2=Berend-Jan |last3=Orrù |first3=Michele |last4=Vervier |first4=Markus |title=Browser Security WhitePaper |url=https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf |publisher=X41D SEC GmbH |date=19 September 2017 |access-date=31 August 2018 |archive-date=1 February 2022 |archive-url=https://web.archive.org/web/20220201150016/https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf |url-status=live }} For Microsoft Edge and Internet Explorer, Microsoft performed fuzzed testing with 670 machine-years during product development, generating more than 400 billion DOM manipulations from 1 billion HTML files.{{cite web |title=Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) |url=https://docs.microsoft.com/en-us/microsoft-edge/deploy/security-enhancements-microsoft-edge |publisher=Microsoft |access-date=31 August 2018|date=15 October 2017 |archive-date=1 September 2018 |archive-url=https://web.archive.org/web/20180901044418/https://docs.microsoft.com/en-us/microsoft-edge/deploy/security-enhancements-microsoft-edge |url-status=live }}