The browser software also usually stores information about the computer on which it is installed, as well as the user (via data stored as cookies on the local hard disk), which can be uploaded to Web servers-either deliberately by the user, or in response to code on a Web site. These newer browsers are capable of not only displaying text and graphics, but also playing sound files and movies and running executable code. Today’s browsers are highly complex, signaling the need to secure them even further.
With Internet Explorer 7, new tools such as the Phishing Filter help to thwart these attacks.Įarly browser programs were fairly simple and could be exploited by using minimal techniques. The embedded scripts (and even some of the markup language) can be used to exploit your browser. Browsers are open to a number of attack types. The browser receives files that are encoded (usually in Hypertext Markup Language ) and must interpret the code or “markup” that determines how the page will be displayed on the user’s monitor. Web browsers are client software programs, such as Internet Explorer, Netscape, and Opera, that connect to servers running Web server software (such as IIS or Apache) and request Web pages via a URL, which is a “friendly” address that represents an IP address and particular files on the server at that address. In Microsoft Vista for IT Security Professionals, 2007 Browser Exploits In most cases, specialized programs such as CGI scanners or Web application assessment tools are better suited for finding these default pages and programs, but if Google has crawled the pages (for example, from a link on a default main page), you’ll be able to locate these pages with Google queries. If the server administrator has forgotten to delete the default documentation, an attacker has every reason to believe that other details such as security have been overlooked as well. In most cases, default documentation does not as accurately portray the server version as well as error messages or default pages, but this information can certainly be used to locate targets and to gain an understanding of the potential security posture of the server. An attacker could use this documentation to either profile or locate Web software.
Web server software often ships with manuals and documentation that end up in the Web directories. Justin Brown, in Google Hacking for Penetration Testers (Third Edition), 2016 Default Documentation