For almost two decades, employees’ web surfing has been monitored and controlled by Secure Web Gateways (SWGs) – the old guard of the web. SWGs are designed to intercept and analyze data moving across a network, filtering out harmful content and blocking malicious files.
Over time, browsers became more central to business operations, where almost 85% of employees conduct most of their work. The browser became an attractive target for cybercriminals. Browsers, as well as Web Applications, also became a lot more complicated, leading to new classes of web attacks.
The attacks are becoming more advanced, with many of them being orchestrated entirely on the client side, bypassing any security solution scrutinizing the network layer. This is weakening SWG efficacy in protecting enterprises against web threats.
Last Mile Reassembly Attacks take advantage of SWGs’ architectural limitations, which traditionally inspect data at the network level but cannot monitor the intricate processes within the browser. According to Vivek Ramachandran, the founder of SquareX, “Without access to browser events, DOM changes, user interactions, and other browser session data, it is impossible for SWGs to have enough context to be able to detect web attacks.” Attackers exploit this ‘browser-blindness’ through many means, exemplified in the Last Mile Reassembly framework.
Understanding Last-Mile Reassembly Attacks
Since SWGs cannot scrutinize how data is processed and reassembled on the client-side of the browser, an opportunity is created for a wide range of modern web attacks.
As an example, SWGs have no concept of windows and tabs. This means that in practice, attackers can send malicious content in fragmented forms over multiple requests. Once these fragments reach the browser–on the same tab–a client-side script reassembles them and executes the malicious code. This method allows attackers to deliver malware without triggering any alarms from the SWG.
In another scenario, an attacker embeds malware within a web page’s image or CSS file. The SWG sees only harmless data fragments and allows them to pass through. Once inside the browser, the client-side script extracts malware from the image or CSS and drops it to the user’s system as a ‘regular’ file download. This is another category of bypasses that SquareX coins as ‘Hiding in Plain Sight.’
Phishing pages can also be constructed entirely on the client side using a Canvas Engine. Just as the name suggests, Ramachandran gives an analogy to visualise this bypass, “Rather than shipping a famous painting that is well known by the guards, invite the artist so he can recreate the entire painting for you.” Without the components of the phishing page passing through the network, SWGs cannot analyze the web page and deem it malicious.
The Last Mile Reassembly Attack framework, consisting of more than 30 such bypasses, is available at browser.security for the public to assess their security posture against.
Disrupting the Multi-billion Dollar Market
The Last Mile Reassembly attack is particularly concerning, given the increasing reliance on web-based applications and cloud services. According to industry reports, the Secure Access Service Edge (SASE) market, which includes SWGs, has grown from a Total Addressable Market of $19 billion in 2018 to $45 billion in 2023, with projections suggesting it could reach $80 billion by 2028.
When SWGs were first introduced, the web applications that employees were using were not as advanced as it is today. SWGs, along with an endpoint agent, were the only browser guardians. As the complexity evolved, these solutions were no longer sufficient to protect users. Many of the attacks that live and die within the browser are also not detected by endpoint security solutions.
For SWGs to detect these attacks, they would need to either fully emulate the user’s browser in the cloud or send extensive browser-specific data back to the SWG for analysis. Both methods are computationally intensive and costly, making them impractical for vendors and their clients.
Today, we have browser security solutions like enterprise browsers and browser extensions. These solutions, like SquareX’s browser extension, are context-aware of the happenings of the browser and can protect against web attacks and all of the last-mile reassembly attacks.
The Future of Browser Security
SWGs’ limitations are likely being exploited in the wild. Since SWGs and endpoint security lack visibility into the browser space, organizations would not even be aware that they are being attacked through the browser. Browser security solutions monitor the web for client-side attacks and can provide organizations with these insights.
SquareX hopes its research will prompt vendors to rethink their approach to browser security and encourage clients to strengthen their defenses against these attacks.
Ramachandran emphasized this point, “Attackers are targeting employees of organizations while they are online, and the old guard SWGs are failing to detect and block new-age client-side web threats due to their antiquated architecture. In our view, the only way to detect and block these complex attacks is to have access to rich browser data as input to detection algorithms, and the only way to do this is to have a browser-native product. This is exactly what SquareX is building.”
As cybersecurity threats continue to evolve, so too must the strategies employed to combat them. S
