Skip to main content
Threat playbooks30 playbooks

Browser threatplaybooks.

The browser is where most modern attacks start: phishing links, malicious downloads, session theft, web exploits, and risky AI usage. These pages explain how each threat shows up in the browser and what isolation changes.

Research hubAI security guides

Account & Session Attacks.

View category →
Session hijacking

Session hijacking is when an attacker steals or reuses a valid session cookie/token to act as the user without needing the password again.

Cookie theft

Cookie theft is when attackers steal session cookies from a browser to impersonate a user and access accounts without the password.

Session fixation

Session fixation is when an attacker forces a victim to use a session identifier the attacker already knows, then takes over that session after the victim authenticates.

Man-in-the-browser (MitB)

Man-in-the-browser (MitB) attacks use malware or malicious extensions to manipulate what a user sees in the browser and to steal data from inside sessions.

Credential stuffing

Credential stuffing is when attackers use leaked username/password pairs to automatically try logins across many sites until one works.

Data Theft & Leakage.

View category →
Formjacking (web skimming)

Formjacking (web skimming) is when attackers inject JavaScript into a site to steal data entered into forms—commonly payment or login details.

Clipboard hijacking

Clipboard hijacking changes or steals what a user copies and pastes—like bank details, addresses, or API keys—often without obvious signals.

Deception & Impersonation.

View category →
Typosquatting

Typosquatting is when attackers register domains that look like a real brand but rely on typos or subtle differences to fool users.

Homograph attacks (lookalike characters)

A homograph attack uses lookalike characters (often from different alphabets) to create a domain that visually resembles a trusted brand.

Tabnabbing

Tabnabbing is a trick where a background tab changes into a fake login page, hoping the user returns later and enters credentials.

Brand impersonation

Brand impersonation is when attackers mimic a trusted company (logo, language, UI) to get users to click, log in, or pay.

Malicious redirects

Malicious redirects send users through a chain of sites to hide the final destination—often ending in phishing, scams, or malware downloads.

Rogue browser notifications

Rogue browser notifications abuse the browser’s notification permission to spam users with scam alerts, fake security warnings, or phishing links.

Malware Delivery.

View category →
Malvertising

Malvertising is when malicious ads deliver scams, phishing, or malware—often by redirecting users to a harmful site after a click (or sometimes on ad load).

Drive-by downloads

A drive-by download is when a visit to a website triggers an unwanted download or malware installation—often without the user intending to download anything.

Malicious downloads

Malicious downloads are files delivered through the browser that look useful (PDFs, installers, “updates”) but contain malware or lead to it.

Fake browser updates

Fake browser updates are deceptive popups or pages that claim your browser is outdated and push a malicious “update” download.

Malicious browser extensions

Malicious browser extensions abuse browser permissions to steal data, hijack sessions, inject ads, or redirect users to phishing pages.

Exploit kits

Exploit kits are automated toolchains that probe a visitor’s browser for vulnerabilities and deliver a payload if they find a match.

Browser zero-day exploits

A browser zero-day exploit targets an unknown or unpatched vulnerability in a browser or its components to execute code or escape the sandbox.

Watering hole attacks

A watering hole attack compromises a website that a specific group frequently visits, then uses it to deliver malware or credential theft to that group.

Ransomware from browser downloads

Ransomware from browser downloads happens when a user downloads and runs a malicious file delivered via a website, ad, or phishing link.

Phishing & Social Engineering.

View category →
Phishing

Phishing is when an attacker tricks someone into revealing credentials or approving access—often through a convincing message that sends them to a fake login page.

Fake login pages

A fake login page is a lookalike sign-in screen designed to capture usernames, passwords, and MFA codes for a real service.

Spear phishing

Spear phishing is targeted phishing that uses personal or company context to make the message and link feel legitimate.

OAuth consent phishing

OAuth consent phishing tricks a user into granting a malicious app access to their account through a legitimate-looking consent screen.

QR code phishing (quishing)

QR code phishing (“quishing”) uses a QR code to hide a malicious URL that opens a browser link on a phone or workstation.

Web Exploits.

View category →
Clickjacking

Clickjacking is a UI trick that overlays or disguises elements so a user clicks something different from what they think they’re clicking.

Cross-site scripting (XSS)

Cross-site scripting (XSS) is when attackers inject JavaScript into a trusted website so it runs in users’ browsers under that site’s identity.

Cross-site request forgery (CSRF)

Cross-site request forgery (CSRF) tricks a user’s browser into sending an authenticated request to a site without the user intending to.

Start with these pages.

01

Resources hub

Browser isolation research, guide hubs, and ranking-focused explainers.

Read02

Browser isolation Chrome extension

Commercial-intent explainer for teams evaluating Chrome-based isolation.

Read03

Secure app browsing guides

Map browser threat thinking to real SaaS workflows.

Read04

AI security guides

Prompt injection, data leakage, and browser-enforceable AI controls.

Read

Your agent needs its Legba.

Read the docs