An attack that succeeds inside the browser session rather than by compromising the operating system. The user may see a normal login page or application flow while the attacker steals credentials, relays authentication, or captures a valid session token without triggering endpoint-based detection.
Expanded Definition
Browser-native identity attack describes a class of compromise where the adversary works inside the browser runtime and session flow instead of breaking the endpoint operating system. That distinction matters because modern authentication often relies on web redirects, tokens, and browser-held session state that can be abused without triggering traditional malware indicators. In NHI and IAM contexts, the attack surface includes login pages, single sign-on flows, OAuth consent screens, session cookies, and token exchange logic. The browser becomes the trust boundary that is being manipulated, not merely the app being visited.
Definitions vary across vendors, but the practical meaning is consistent: the attacker either captures credentials during a legitimate-looking interaction, relays the authentication to a real service, or steals a valid session artifact after login. This is closely related to token theft and session hijacking, but browser-native identity attack is a broader operational label that emphasizes where the compromise occurs. For background on how identity exposure drives real-world compromise, see the Ultimate Guide to NHIs and the OWASP NHI Top 10. A useful external reference for adjacent browser and identity abuse patterns is the CISA cyber threat advisories.
The most common misapplication is treating it as an endpoint-only problem, which occurs when defenders focus on malware scans while ignoring browser session control and authentication flow integrity.
Examples and Use Cases
Implementing browser-session protections rigorously often introduces user-friction and telemetry complexity, requiring organisations to weigh stronger identity assurance against the operational cost of more frequent step-up checks and session monitoring.
- A phishing page proxies a real login flow and forwards the victim’s credentials and one-time challenge to the legitimate identity provider, creating a valid session that looks normal to the user.
- An attacker injects script into a compromised web application or extension context and steals session cookies from the browser after authentication, then reuses them from a separate machine.
- A reverse-proxy setup relays OAuth or SSO traffic in real time, allowing the adversary to capture the resulting access token even when the password and MFA prompt were entered correctly.
- An AI operator interface is accessed through a browser session, and the attacker reuses the authenticated session to issue tool calls as the victim identity. See the LLMjacking: How Attackers Hijack AI Using Compromised NHIs research note for adjacent token abuse behavior.
- Defensive teams correlate browser telemetry, login anomalies, and session revocation events using guidance from the MITRE ATLAS adversarial AI threat matrix when AI-assisted workflows are involved.
These scenarios show why browser-native identity attack is often invisible to traditional perimeter tools: the authentication was real, but the session was not trustworthy.
Why It Matters in NHI Security
Browser-native identity attack is especially dangerous for NHI security because many service-to-service and AI-assisted workflows now rely on browser-mediated consoles, developer portals, and agent dashboards where tokens and secrets can be exposed during legitimate use. The attack does not need to defeat the OS if it can inherit a trusted browser session. Once that happens, the adversary can impersonate an operator, rotate credentials, create new tokens, or access downstream systems that trust the session. The Ultimate Guide to NHIs reports that 79% of organisations have experienced secrets leaks, and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. That combination makes browser-originated session theft a direct path from a single user interaction to broad NHI compromise.
For governance, this means defenders must treat browser session integrity, token lifetime, and privileged web access as part of identity security, not just application security. The 52 NHI Breaches Analysis shows how frequently identity misuse becomes the real failure mode after initial access. Browser-native identity attack becomes operationally unavoidable after a suspicious login, unexpected token use, or an AI tool abuse event, at which point session revocation and credential rotation are no longer optional.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret, token, and session abuse that can start in the browser. |
| NIST CSF 2.0 | PR.AC-1 | Addresses identity proofing and access control for authenticated sessions. |
| NIST Zero Trust (SP 800-207) | SC-23 | Zero trust requires continuous verification beyond a trusted browser session. |
Validate session trust, reduce standing access, and revoke compromised browser sessions quickly.
