Back to Blog

The Browser is the New Perimeter

3 min read
#browser-security #attack-surface #enterprise

The traditional network perimeter is dead. It died somewhere between the first VPN split tunnel and the hundredth SaaS app your organization adopted. Today, the browser is where work happens—and where attackers focus their attention.

The Shift to Browser-First Work

Think about your last workday. Email in Outlook 365. Documents in Google Workspace. Project management in Asana or Monday. Communication in Slack or Teams. Video calls in Zoom. Every single one of these runs in a browser.

This shift created a single point of entry that bypasses nearly every traditional security control. Firewalls? Useless against HTTPS traffic. Network segmentation? Irrelevant when everything routes through port 443. Endpoint protection? Often blind to browser-based attacks.

Extension-Based Threats

Browser extensions are the new Shadow IT. The Chrome Web Store hosts over 130,000 extensions, and the average enterprise user has 10-15 installed. Each extension can:

  • Read and modify all data on visited websites
  • Intercept form submissions (including passwords)
  • Inject scripts into any page
  • Exfiltrate data to external servers

The attack chain is elegant. Compromise a popular extension through a supply chain attack—like the 2023 incident affecting multiple code editor extensions—and you gain access to thousands of enterprise environments simultaneously.

// A malicious extension only needs this permission
"permissions": ["<all_urls>", "storage", "webRequest"]

// To intercept every HTTP request
chrome.webRequest.onBeforeRequest.addListener(
  function(details) {
    // Exfiltrate request data
    sendToC2(details);
    return { cancel: false };
  },
  { urls: ["<all_urls>"] },
  ["requestBody"]
);

WebAssembly: The Double-Edged Sword

WebAssembly (Wasm) enables near-native performance in the browser. It also enables sophisticated malware that traditional detection tools can’t analyze.

Wasm binaries are opaque. Static analysis tools designed for JavaScript fail silently. Cryptominers, credential stealers, and even ransomware components have been compiled to Wasm, executing right under the nose of endpoint detection tools.

The CoinHive incident was just the beginning. Modern Wasm-based threats embed directly in legitimate websites through supply chain compromises, ad networks, or compromised npm packages.

Defense Strategies

1. Browser Isolation

Remote Browser Isolation (RBI) renders web content in a cloud sandbox. Users receive only a sanitized pixel stream or DOM reconstruction. Attacks execute in the isolated environment, never reaching the endpoint.

The tradeoff: latency and user experience. Modern RBI solutions minimize this through clientless architectures and selective isolation policies—isolating high-risk categories while allowing direct access to trusted applications.

2. Extension Governance

Implement an allowlist for browser extensions. Block everything not explicitly approved. Use Group Policy or MDM to enforce extension policies:

{
  "ExtensionInstallAllowlist": [
    "extension-id-1",
    "extension-id-2"
  ],
  "ExtensionInstallBlocklist": ["*"],
  "BlockExternalExtensions": true
}

3. Content Security Policy Enforcement

For applications you control, implement strict CSP headers:

Content-Security-Policy: 
  default-src 'self';
  script-src 'self' 'strict-dynamic';
  object-src 'none';
  base-uri 'self';

4. Monitor Browser Telemetry

Deploy browser-native security tools that monitor:

  • Extension installations and permission changes
  • DNS queries from browser processes
  • Anomalous data transfer patterns
  • Credential access attempts

The Path Forward

The browser isn’t going away as the center of enterprise work. The security industry is adapting with enterprise browsers, browser-based DLP, and improved isolation technologies.

Your move: inventory every browser extension in your environment. You might be surprised what you find.

Have questions about browser security implementations? Get in touch.