Browser threatplaybooks.

Session hijacking is when an attacker steals or reuses a valid session cookie/token to act as the user without needing the password again.

Cookie theft is when attackers steal session cookies from a browser to impersonate a user and access accounts without the password.

Session fixation is when an attacker forces a victim to use a session identifier the attacker already knows, then takes over that session after the victim authenticates.

Man-in-the-browser (MitB) attacks use malware or malicious extensions to manipulate what a user sees in the browser and to steal data from inside sessions.

Credential stuffing is when attackers use leaked username/password pairs to automatically try logins across many sites until one works.

Formjacking (web skimming) is when attackers inject JavaScript into a site to steal data entered into forms—commonly payment or login details.

Clipboard hijacking changes or steals what a user copies and pastes—like bank details, addresses, or API keys—often without obvious signals.

Typosquatting is when attackers register domains that look like a real brand but rely on typos or subtle differences to fool users.

A homograph attack uses lookalike characters (often from different alphabets) to create a domain that visually resembles a trusted brand.

Tabnabbing is a trick where a background tab changes into a fake login page, hoping the user returns later and enters credentials.

Brand impersonation is when attackers mimic a trusted company (logo, language, UI) to get users to click, log in, or pay.

Malicious redirects send users through a chain of sites to hide the final destination—often ending in phishing, scams, or malware downloads.

Rogue browser notifications abuse the browser’s notification permission to spam users with scam alerts, fake security warnings, or phishing links.

Malvertising is when malicious ads deliver scams, phishing, or malware—often by redirecting users to a harmful site after a click (or sometimes on ad load).

A drive-by download is when a visit to a website triggers an unwanted download or malware installation—often without the user intending to download anything.

Malicious downloads are files delivered through the browser that look useful (PDFs, installers, “updates”) but contain malware or lead to it.

Fake browser updates are deceptive popups or pages that claim your browser is outdated and push a malicious “update” download.

Malicious browser extensions abuse browser permissions to steal data, hijack sessions, inject ads, or redirect users to phishing pages.

Exploit kits are automated toolchains that probe a visitor’s browser for vulnerabilities and deliver a payload if they find a match.

A browser zero-day exploit targets an unknown or unpatched vulnerability in a browser or its components to execute code or escape the sandbox.

A watering hole attack compromises a website that a specific group frequently visits, then uses it to deliver malware or credential theft to that group.

Ransomware from browser downloads happens when a user downloads and runs a malicious file delivered via a website, ad, or phishing link.

Phishing is when an attacker tricks someone into revealing credentials or approving access—often through a convincing message that sends them to a fake login page.

A fake login page is a lookalike sign-in screen designed to capture usernames, passwords, and MFA codes for a real service.

Spear phishing is targeted phishing that uses personal or company context to make the message and link feel legitimate.

OAuth consent phishing tricks a user into granting a malicious app access to their account through a legitimate-looking consent screen.

QR code phishing (“quishing”) uses a QR code to hide a malicious URL that opens a browser link on a phone or workstation.

Clickjacking is a UI trick that overlays or disguises elements so a user clicks something different from what they think they’re clicking.

Cross-site scripting (XSS) is when attackers inject JavaScript into a trusted website so it runs in users’ browsers under that site’s identity.

Cross-site request forgery (CSRF) tricks a user’s browser into sending an authenticated request to a site without the user intending to.