What Is Browser Sandboxing?

Salmankhan2389 - Aug 30 '22 - - Dev Community

With a rapidly changing business landscape, security is one of the biggest challenges for developers and testers in their modern web development cycle. The complexity of building and deploying modern web apps leads to more security vulnerabilities. As per a Cost of Data Breach report by IBM and Ponemon Institute, in 2021, data breach costs rose from USD 3.86 million (average cost in 2019) to USD 4.24 million, which is the highest average cost of this report in 17 years.

Therefore, cybersecurity is becoming increasingly important in the software development lifecycle to ensure user data security and privacy. Wouldn’t it be great if you could develop and test websites and web apps without worrying about security vulnerabilities? Sandboxing is one technique that can help you achieve this. Sandboxing is an approach for securely isolating an application, a web browser, and a piece of code. It prevents malicious or faulty apps from attacking or spying on your web resources and local system.

In the real world, a sandbox is a play area for children enclosed by walls. It allows children to play with sand without the sand-strewn around the lawn. Likewise, the sandbox browser creates an isolated environment where users can download and install applications from third-party sources and operate them in a secure, isolated environment even if they act suspiciously. As a result, the sandbox browser protects your computer from additional security risks.

In this article, we explore what browser sandboxing is, the benefits and importance of the different types of sandboxing, and how to implement it.

Let’s begin!

What is Browser Sandboxing?

To prevent security breaches in your system or web application, developers need to figure out how to deal with them. This is when browser sandboxing comes in handy. The browser sandbox provides a safe virtual environment to test harmful code or run third-party software without compromising your system’s data or local files.

For example, if you download a malicious attachment within the sandbox, it will not damage your system’s existing files or resources. Sandbox has a same-origin feature, which allows JavaScript to add or customize elements on a web page while restricting access to an external JSON file.

Today, popular web browsers such as Chrome, Firefox, and Edge come with built-in sandboxes. The ultimate goal of a sandboxed browser is to protect your machine from the risks associated with browsing. Therefore, if a user downloads malicious software from a website, the software gets downloaded into the browser’s sandbox. Everything inside it, including the harmful code, is wiped out upon closing the sandbox.

Browser Sandboxing uses two isolation techniques to shield users’ web browsing activity and system hardware, local PCs, and networks.

  • Local browser isolation

  • Remote browser isolation

Need a great solution for virtual safari browser? Try LambdaTest to test on safari browser.

Local browser isolation

Local browser isolation is a conventional technique of browser isolation that runs the virtual browsers in the sandbox or the virtual machine on the user’s local infrastructure. It helps in isolating data from external security threats and unsafe browsing. For example, if a malicious element creeps in, the impact will be limited to the sandbox browser and virtual machine.

Remote browser isolation

Remote browser isolation involves a virtualization technique in which the browser is run on a cloud-based server (both public and private cloud). In remote isolation, the user’s local system is free from browsing activity, and the browser sandboxing, filtering, and risk evaluation take place on the remote server.

Remote browser isolation involves two ways to isolate user local infrastructure and web content.

  • DOM Mirroring: In this technique, the browser is not entirely isolated from the user’s local system. However, the DOM mirroring technique filters the malicious content and renders the rest of the content to the user.

  • Visual Streaming: This technique provides complete remote browser isolation. Visual streaming works like VDI (Virtual Desktop Infrastructure) systems where a browser runs on the cloud-based server, and the visual output is displayed to the user’s local machine.

Why is Browser Sandboxing important?

Modern web technologies are expanding rapidly, thereby allowing users to develop and ship websites and web apps without a hitch. At the same time, the demand for web applications is also increasing at an unprecedented pace. According to a survey, web applications were the source of 50% of data breaches. Therefore, it is critical to have a secure, controlled environment like a sandbox browser, to perform the operations without jeopardizing your local infrastructure and system resources.

For example, a user is running a web browser in a sandbox. If a malicious code or file exploits web browser vulnerabilities, the impact is restricted within the sandbox. Also, the detonation procedure can aid in the discovery of new vulnerabilities and their mitigation in web browsers. However, if the sandbox browser is disabled, malicious programs can exploit web browser vulnerabilities and damage the user’s local system and resources.

Benefits of Sandboxing

There are various advantages to incorporating a sandbox into your web development workflow. Some of the advantages are mentioned below.

  • Sandboxing saves the device and operating system from being exposed to potential threats.

  • When working with an unauthorized party or vendor, it is best to use a sandboxing environment. Before deploying stuff, you can use the sandbox to test suspicious code or software.

  • Sandboxing can aid in the prevention of zero-day attacks. Because developers cannot discover an instant patch for the exploits, zero-day attacks are inherently harmful. As a result, sandboxing mitigates damage by concealing malware from your system.

  • Sandbox environment quarantines threats and viruses. This assists cyber experts in studying and analyzing threat trends. It enables the prevention of future intrusions and the identification of network vulnerabilities.

  • Sandboxing applications are a hybrid solution that implies they can be deployed locally and remotely (cloud-based server). Hybrid systems are more secure, reliable, and cost-effective than traditional solutions.

  • Sandboxing and RDP (remote desktop protocol) setups assist businesses in ensuring a safe external network connection.

  • Sandboxing can be used in conjunction with antivirus or other security tools and policies to strengthen your entire security ecosystem.

Do you need a great solution for cross browser testing on Safari? Try LambdaTest to test on safari check.

What assets are being sandboxed?

The bulk of the assets we use in our daily workflow, like online browsers, web pages, PDFs, mobile apps, and Windows applications, are sandboxed.

The assets that are being sandboxed are listed below.

  • Web Browsers: The potentially vulnerable browsers run in sandboxed environments.

  • Browser Plug-ins: While loading content, browser plugins operate in a sandbox. Sandboxed browser plugins, like Java, are more vulnerable to attacks.

  • Web Pages: The browser loads the web page in sandbox mode. Since a web page is built-in JavaScript, it cannot access a file on your local computer.

  • Mobile Apps: Mobile OS like Android and iOS runs their app in sandbox mode. They pop up the permission box if they wish to access your location, contacts, or other information.

  • Windows Software & Programs: Before making changes to system files, User Account Control (UAC) in Windows OS asks for your permission. UAC functions similarly to a sandbox, although it does not provide complete protection. However, one shouldn’t disable it.

LambdaTest’s LT Browser is a next-gen browser to build, test & debug mobile websites. Try it now, for free!

Different types of Sandboxing

In this section on browser sandbox, we discuss the different types of sandboxing. Sandboxing is divided into three categories.

  1. Application Sandboxing

  2. Browser Sandboxing

  3. Security Sandboxing

Application Sandboxing

With Application Sandbox, you can run untrusted applications in a sandbox to prevent them from damaging your local system or stealing data. It helps create a secure environment where apps can run without the risk of damaging the system. By isolating the app from the user’s local computer, application sandboxing enhances the app’s integrity.

Browser Sandboxing

Potentially malicious browser-based applications can be executed in a sandbox to prevent them from causing harm to your local infrastructure. It leads to establishing a secure environment in which web apps can run without compromising the system. The detonation technique can aid in the discovery of new vulnerabilities in web browsers and their mitigation.

Security Sandboxing

Security Sandboxing lets you explore and detect suspicious code. It scans attachments and identifies a list of potentially harmful websites, and determines whether one downloads or installs infected files.

Sandboxing with an in-built sandbox browser

Sandboxes come pre-installed in popular browsers like Chromium, Firefox, and Edge to protect your system from browsing vulnerabilities. Let’s look at how sandboxing works in different browsers.

Chromium Browser Sandboxing

Google Chrome and Microsoft Edge are built on the Chromium browser. The broker and the target are the two processes that make up the Chromium browser sandbox. The target process is a child process, while the browser process is a broker process. The target process’s code is executed in a sandbox environment. The broker process acts between the child process and hardware resources to offer resources to the child process.

Firefox Browser Sandboxing

To protect the local system from threats, Firefox executes untrusted code within a sandbox. The Firefox browser is sandboxed by using the parent and child processes. When browsing, potentially malicious programs are run in the sandbox. The parent is a mediator between the child process and the rest of the system resources during sandboxing.

You can change the degree of sandboxing in Firefox browsers to make it least, moderate, or highly restrictive.

Level 0: Least restrictive
Level 1: Moderate
Level 2: Highly restrictive

To check the level of the Firefox sandbox browser, pass the below command in the address bar.

about:config
Enter fullscreen mode Exit fullscreen mode

On the page, it will load the Firefox configurable variables. Now hit CTRL+F on the config page. Enter the following commands in the search box and press Enter.

Edge Browser Sandboxing

When you launch the Edge sandbox browser Windows 10, you’ll be presented with a fresh desktop that has simply the Recycle Bin and Edge shortcuts. It displays the Start Menu and other icons, but they aren’t functional in this sandboxed environment. Instead of the sandboxed Windows 10, you can access them on the standard Windows 10.

When you close the Edge browser sandbox, your browser history is no longer available. Your ISP may keep track of actions in the sandbox, but this data is not auditable.

Disabling the Google Chrome sandbox

While performing Chrome-based sandboxing testing, you may come across a scenario where the sandbox feature can cause the Chrome browser to flash an error — The Application Has Failed to Initialize.

In that case, you may need to disable the Chrome browser sandbox. Here are the following steps.

  1. Create a Google Chrome Sandbox shortcut if you don’t have one.

  2. Right-click on the shortcut and select Properties.

  3. Enter the below command to the app path provided in the Target.

  4. Click Apply, and then OK

Browser Sandboxing: Is it 100% secure?

Most web browsers use a sandbox. However, the internet is still a source of viruses and other malware. The level of sandboxing appears to vary. Different web browsers implement sandboxing differently, so it’s hard to figure out how they work. However, this does not mean that all web browsers are unsafe. On the other hand, a browser sandbox can make them more secure.

But if you ask whether it provides 100% security, the answer is no! Some browser components may stretch outside the sandbox if they use Flash and ActiveX.

Need a great solution for cross browser testing on Safari? Forget about emulators or simulators – use real online browsers. Try LambdaTest to test safari online!

An alternative to Sandboxing: LambdaTest secure cloud platform

Despite the numerous built-in browser sandboxes, it is difficult to achieve 100% security. Installing third-party sandboxing solutions for various browsers might also be time-consuming to test websites and apps.

Instead, developers and testers can use cloud-based testing platforms like LambdaTest to ensure Enterprise-grade security. More than 500K users trust LambdaTest for browser and app testing needs. LambdaTest is a secure cloud-based platform for web-based browser testing on an online browser farm of 3000+ real browsers and operating systems.

LambdaTest is a SOC2 type certified platform that is both GDPR and CCPA compliant. Read more about LambdaTest Security.

Besides providing testing on web browsers online, LambdaTest also offers mobile app testing (real-time and automated) on a real device cloud of 3000+ Android and iOS devices.

Below are the steps for running real-time tests on a LambdaTest secure cloud environment.

  1. Login to LambdaTest. If you don’t have an account, sign up on LambdaTest.

  2. Once you are in the user Dashboard, select the Real Time Testing option.

  3. Enter the test URL, choose Desktop or Mobile, and select VERSION, OS, and RESOLUTION. Now click START.

A cloud-based virtual machine will fire up where you can start secure web testing of your web applications on the cloud.

If you are new to real-time testing, check out our video tutorial to get started right away.

Please subscribe to our LambdaTest YouTube Channel for more videos around Selenium automation testing, Mobile automation testing, and more.

Wrapping Up!

Businesses are attacked by Advanced Persistent Threats (APTs), and sandboxing can protect them. By seeing what’s ahead, you can prepare for unknown attacks. You can test and develop applications in an isolated environment without compromising your local system assets with sandboxing. Sandboxie, BitBox, and other sandboxing tools are available in the market. However, it takes time to set up and install different browsers in the sandbox.

This article discussed how to use LambdaTest cloud-based platform for your browser and app testing to develop and test applications in a secure remote environment without endangering your local system.

Hope you liked the article, and if you have any questions, please feel free to drop them in the comments.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .