Categories
AppSec

Awesome browser security

It started with an excellent question from an intern – what should I read to get a decent understanding of browser security? I decided I’ll try to answer this in full by creating a list of the best materials I know of. Use it in health, and let me know what you think.

The awesome browser security project is available here

Scoping considerations

What exactly is should be covered? My first proposal is to include: 

  • Security of the browser product. 
  • Web security issues involving a browser. 

For XSS or CSRF, it means that all that browsers do to mitigate it is in scope, but nothing more. I wouldn’t want to cover privacy issues, especially topics such as fingerprinting, tracking, etc. 

Topicality

The field is moving quite rapidly, so ideally, the list should reflect the current state-of-the-art on each of the fronts. Whenever possible, I tried to mark the publication date (at least a year). 

Conciseness

The list should strive to be minimal. Hence the focus is on high-quality, in-depth introductions and source materials, such as formal specifications. 

Completeness

This one is rather aspirational at this point. Eventually, I’d like this doc to be a map of all browser-related security issues. 

Availability

Materials that are available for free on the Internet are strongly preferred. 

Quality

I reserve the right to be mistaken about anything here. Feel free to provide feedback or point out any errors. Contributions are welcome.

By Cezary Cerekwicki

AppSec program manager. A former nerd who reluctantly learned he's not allergic to shirts and talking to people. Currently a people person.