For nearly two decades, Secure Web Gateways (SWGs) have been the gatekeepers of the web, monitoring and controlling employee web activity by intercepting and analyzing data moving across networks. While these tools have filtered harmful content and blocked malicious files effectively for years, the landscape of web usage has evolved. Today, approximately 85% of employees conduct most of their work within a browser, making it a prime target for cybercriminals. This has led to new and more complex web attacks, rendering traditional SWGs less effective.
SWGs are facing the emergence of advanced attacks that operate entirely on the client side, bypassing network-layer security measures. The Last Mile Reassembly Attack framework, presented by SquareX at DEF CON 32, highlights these vulnerabilities, revealing how SWGs' architectural limitations leave enterprises exposed to modern web threats.
Understanding the Weaknesses in SWG Architecture
SWGs were designed to inspect data at the network level, a method that served well in the early days of web security. However, as browsers and web applications have become more sophisticated, this approach has shown many gaps. SWGs lack visibility into the intricate processes within a browser, such as DOM changes, browser events, and user interactions. As Vivek Ramachandran, the founder of SquareX, explains, "Without access to site session data, SWGs are operating in the dark."
This lack of visibility is where SWGs falter, allowing attackers to exploit what SquareX terms 'browser-blindness.' As an example, Ramachandran explains, "SWGs don't have notions of tabs and windows. When they look at two requests they can't make out whether they are coming from the same tab or window, so they do not have enough data to do any dynamic analysis in the cloud trying to emulate what's happening on the user's browser tab". Malicious actors can take advantage of this by breaking up malicious files into smaller pieces, sending them over the network, and assembling them on the browser right under the nose of SWGs. The SWG has no context that the same download requests were originating from a single browser tab.
The Challenges of Addressing Last-Mile Attacks
Last Mile Reassembly attacks capitalize on the inability of SWGs to monitor client-side data processing. These attacks can take various forms, such as sending fragmented malicious files across multiple download requests or embedding malware in seemingly innocuous files like images or CSS. Once these fragments are reassembled in the browser, the malicious file is dropped on the victim's device without triggering any alarms from the SWG.
These bypasses highlight SWG's inability to understand the context in which data is processed on the client side. To combat these attacks, SWGs would need to emulate the user's browser in the cloud or analyze extensive browser-specific data, both of which are resource-intensive and impractical for most vendors and their clients.
A more feasible alternative is to deploy browser-native solutions, which can detect and neutralize these threats at the point of delivery. This method focuses on enhancing security directly within the browser, where the reassembly of malicious content occurs, rather than relying solely on network-level defenses.
SquareX has created a website that allows organizations to test their current security setups against such advanced threats. Ramachandran notes, "We encourage enterprises to evaluate their security posture using this website. It's crucial for understanding the real-world effectiveness of their current defenses."
A Call for Enhanced Security Measures
Given the growing reliance on web-based applications and cloud services, the limitations of SWGs are a serious concern. The SASE market, which includes SWGs, has ballooned from a $19 billion market in 2018 to an estimated $80 billion by 2028. However, the evolving complexity of web applications has outpaced the capabilities of traditional SWGs and endpoint security solutions.
To protect against these new threats, browser security solutions like SquareX's browser extension offer a more context-aware approach. These solutions are designed to monitor and defend against client-side attacks, providing organizations with the necessary visibility and protection that SWGs lack.
SquareX's research aims to drive a shift in how vendors and clients approach browser security. With the increasing sophistication of web threats, it is imperative for organizations to adopt enhanced security measures that go beyond the outdated SWG architecture and address the vulnerabilities of the modern web landscape.
