“With the increasing complexity of modern browsers and operating systems, memory corruption exploitation has become difficult, making vulnerability classes such as SOP Bypass, UXSS, spoofing and Cross File attacks more prevalent.”

About the trainer:

Rafay Baloch is a renowned cybersecurity expert from Pakistan who has made a significant impact on the global stage with his innovative work. Despite his young age, he has already gained recognition for his groundbreaking research into the vulnerabilities of the Mobile Browsers , which has affected millions worldwide. He is also the author of “Ethical Hacking And Penetration Testing Guide” and has been featured in prominent media outlets like Forbes, The Wall Street Journal, and the BBC. Baloch’s achievements include being named among the Top 5 Ethical Hackers of 2014 by CheckMarx, the Top 25 Threat Seekers by SC magazine, and a top influencer in cyber security by Reflectiz in 2021.

Rafay has made a notable contribution to the advancement of cybersecurity globally and has presented at major international conferences such as Blackhat, NYUAD CSAW, HEXCON, SDPI etc. His research work and opinion pieces on critical cyber security issues have received widespread media attention. In recognition of his outstanding contributions to the cybersecurity sector, Rafay was nominated for the Pride of Pakistan award by the Inter-Services Public Relations department of the Pakistan military in 2022. Currently, he serves as the Sr. Advisor Cyber Security for PTA, a telecom regulator in Pakistan, and frequently advises the government on cyber security matters.

Talk overview:

Web applications have become increasingly significant with the rise of the internet during this decade. Browsers, the medium through which web applications are accessed, must adhere to the design and implementation of security policies and mechanisms to protect their users from potential security risks. The most notable of these policies are Same Origin Policy (SOP) and Content Security Policy (CSP). However, due to the increasing complexity of modern browsers and operating systems, memory corruption exploitation has become difficult, making vulnerability classes such as SOP Bypass, UXSS, spoofing, Cross File attacks etc more prevalent.

Mobile browsers, however, are relatively new and, as a result, have not undergone the same level of scrutiny as web browsers. Hundreds of families of different mobile browsers exist, each advertising a different set of capabilities. These browsers often incorporate new features and functionalities without having undergone systematic security checks, which widens the threat surface.

In this presentation, the author will discuss a methodology for discovering novel security vulnerabilities in browsers, including address bar spoofing. The presentation will include a walkthrough of novel vulnerabilities discovered by the author.

The author will demonstrate how these bugs can be used to evade antiphishing, site reputation-based filters, as well as exploit password managers in modern browsers. Challenges and pitfalls with modern mobile browsers in terms of security and possible solutions to overcome them will also be discussed.