A complete framework for identifying, mapping, and mitigating client-side security risks — with BreachFin at the center
Modern web security no longer begins at the server.
It begins in the browser, where attackers have the most leverage and defenders have the least visibility.
This workbook gives you a step-by-step threat modeling framework designed specifically for browser-based risks, including:
- DOM tampering
- iFrame manipulation
- Script injection
- Shadow AI scraping
- OAuth token replay
- Payment flow corruption
- Extension interference
- Federated login abuse
1. Define the Browser Attack Surface
Start by mapping all components executed within the user’s browser:
Core Browser Attack Surface
- HTML DOM
- JavaScript execution context
- Web APIs
- Cookies / tokens / storage
- Service Workers
- iFrames and embedded components
- WebAssembly
Extended Attack Surface
- Third-party scripts
- Tag Manager injections
- A/B testing engines
- Browser extensions
- AI assistants
- Remote iframes from vendors
- OAuth redirect flows
- Payment processors
- CDN dependencies
You cannot protect what you do not map.
2. Identify High-Value Targets in the UI
Determine which UI components represent a high-risk zone:
Common High-Risk Components
- Login / authentication UI
- Payment checkout page
- Account update UI
- Sensitive form fields (SSN, card, PII)
- API call contexts used for fund transfers
- Dashboards exposing customer data
- Admin panels
- Multi-step workflows
These components must have enhanced monitoring.
3. Identify Threat Actors
Modern browser threats come from multiple actor categories:
1. External Attackers
- Cybercriminals
- Skimming groups (Magecart, etc.)
- Phishing actors
- Supply chain attackers
2. Internal “Shadow AI” Tools
- AI assistants scraping DOM
- Unauthorized OAuth-connected apps
- Copy/paste automation tools
3. Browser Extensions
- Malicious
- Compromised
- Legitimate but over-permissioned
4. Third-Party Script Vendors
- Analytics
- Chat
- Personalization
- Payment widgets
All are potential points of compromise.
4. Define Browser-Specific Threat Scenarios
Use STRIDE but adjust for browser context:
Spoofing
- Fake payment iFrames
- Fake login overlays
- UI redressing attacks
Tampering
- DOM manipulation
- Script injection
- Modified checkout values
- Removed security controls
Repudiation
- Session replay
- Token reuse
- Invisible background requests
Information Disclosure
- DOM scraping
- Token extraction
- Exfiltration to AI/extension servers
Denial of Service
- Checkout freezing
- UI blocking overlays
- Infinite event loops
Escalation of Privilege
- Unauthorized access via XSS
- Extension hijacking privileged contexts
This expands STRIDE into STRIDE-B, focused on browser vectors.
5. Model the Attack Path End-to-End
Break down the browser threat flow into phases:
Phase 1 — Injection
- Script added dynamically
- Extension activates
- AI assistant loads
- CDN vendor compromised
Phase 2 — Observation
Malicious code quietly:
- Reads DOM
- Hooks event handlers
- Inspects tokens
- Observes user input
Phase 3 — Manipulation
Attacker modifies:
- Prices
- Destinations
- Parameters
- Payment routes
- UI elements
Phase 4 — Exfiltration
Data leaves the browser using:
- fetch/XHR
- beacon
- image requests
- WebSockets
Phase 5 — Replay
Attacker replays:
- Tokens
- Auth headers
- API requests
This is the full compromise lifecycle.
6. Map Controls to Each Attack Phase
Injection Controls
- CSP (script-src)
- Trusted Types
- SRI (where possible)
- Script Integrity Registry (BreachFin)
Observation Controls
- Browser isolation
- Form field obfuscation
- Token scoping
- In-memory tokens (not localStorage)
- BreachFin DOM access anomaly detection
Manipulation Controls
- DOM validation
- UI integrity checks
- Behavior drift detection (BreachFin)
Exfiltration Controls
- Network anomaly detection
- Allowed AI/extension domain lists
- BreachFin outbound leak monitoring
Replay Controls
- Token binding
- PKCE enforcement
- Session fingerprinting
- BreachFin replay detection patterns
7. Build a Browser Threat Matrix
Below is a matrix you can include as a downloadable asset:
| Attack Type | Vector | Impact | Preventive Control | Detection (BreachFin) |
|---|---|---|---|---|
| XSS | Script injection | Full takeover | CSP + Trusted Types | DOM mutation anomalies |
| CSRF | Forged actions | Unauthorized changes | CSRF tokens | Unexpected POST detection |
| Token Replay | Token theft | Account takeover | Token binding | Replay pattern alerting |
| Extension Injection | Browser plugin | Data theft | Extension restrictions | Extension interference detection |
| iFrame Fraud | Overlay UI | Payment redirection | frame-ancestors | iFrame behavior drift |
| Shadow AI | AI scraping | Data leak | Domain allowlists | Exfiltration monitoring |
| Skimming | Form hijack | PCI breach | Iframe-based payment | Checkout script drift |
This matrix becomes the “cheat sheet” for your threat modeling workbook.
8. Checklist: Browser Security for 2026
Preventive
- CSP (Strict)
- Trusted Types
- HttpOnly cookies
- In-memory access tokens
- PKCE for all OAuth flows
- frame-ancestors restrictions
- Sandbox all iFrames
- Limit third-party scripts
Detective
- BreachFin runtime monitoring
- Script integrity registry
- DOM anomaly detection
- Behavior drift analysis
- Token access detection
- Outbound exfiltration alerts
Responsive
- Auto session invalidation
- Real-time blocking
- Incident evidence logs
- Forensic replay captures
- SOC integration via webhook
9. BreachFin’s Role in Browser Threat Modeling
BreachFin provides exactly the layer that threat modeling identifies as “blind”:
✔ Visibility into browser execution
✔ Script fingerprinting
✔ Drift detection
✔ iFrame tamper detection
✔ Extension interference alerts
✔ Shadow AI behavior capture
✔ Token interaction monitoring
✔ Real-time notifications
✔ Compliance evidence for PCI/SOC2/GDPR
Traditional security tools cannot inspect the browser.
BreachFin exists to fill the visibility gap highlighted in every threat model.
