Protect Every Click Leveraging The Power of Advanced Web Protection with Prisma Browser

This blog was written by Tuan Vu

Countering Modern Evasive Threats

The enterprise browser has become a high-value target as attackers shift toward more evasive web-based techniques. What began as a straightforward battle between security vendor databases and malicious domains has evolved into a more complex scenario. While security vendors can quickly flag known threats, attackers adapt by cloaking their operations behind benign landing pages or CAPTCHA pages, which conceal the actual content from automated scanners.

To counter this, Palo Alto Networks introduced the Advanced URL Filtering solution, which features real-time, network-layer detection, designed to stop threats in transit. However, this network-centric defense model struggles against attacks that occur only within the browser.

This exposes a critical blind spot that the "Last Mile Reassembly" framework exploits. Instead of sending a single, easily scanned malicious file, adversaries fragment their code, often JavaScript, and smuggle it through the network in small, undetected pieces. This code is then reassembled directly inside the browser. This approach bypasses even the most advanced heuristic or AI-driven network defenses. 

As the battle shifts from the network to the browser, organizations need protection that operates where these modern attacks now unfold, inside the browser itself.

Introducing Advanced Web Protection: Real-Time Defense Inside the Browser

Palo Alto Networks introduces Advanced Web Protection (AWP), a new capability integrated into Prisma Browser, engineered to detect and prevent today’s evasive and dynamically assembled web threats. As modern attacks increasingly exploit browser runtime environments, network-layer defenses lack the visibility and context needed to identify and stop these threats effectively.

Advanced Web Protection extends Palo Alto Networks’ Precision AI-powered security architecture directly into the browser runtime, enabling real-time, in-context inspection of web traffic, rendered content, and scripts as they execute. This enables security teams to detect and block threats that manifest only after page load, including runtime-assembled JavaScript payloads, cloaked phishing pages, obfuscated scripts, and AI-generated malicious code.

Through native integration with Prisma Access and Strata Cloud Manager, Prisma Browser delivers centralized policy management, correlated telemetry, and unified visibility across all users, devices, and locations. This ensures consistent in-browser protection for both managed and unmanaged endpoints, eliminating the need for SSL decryption or endpoint agents.

The result is a fully instrumented browser environment that brings Precision AI detection directly to the execution layer, allowing organizations to identify and mitigate evasive, browser-resident threats before they can compromise credentials, data, or systems. This architecture enables the real-time analysis of 100% of browser-generated web traffic, preventing dynamically constructed or delayed execution threats from bypassing network-based defenses.

Attackers continue to refine their methods, with one of the most advanced techniques being the runtime assembly attack. In this approach, malicious code is divided into multiple fragments that appear benign in transit and are reassembled only once inside the browser. Understanding this technique highlights why in-browser protection has become essential for modern enterprise security architectures.

One of the most illustrative examples of this new threat class is the runtime assembly attack, which demonstrates how code fragments can bypass defenses and execute entirely within the browser.

Runtime Assembly Attack Example

Let's examine how a threat like the runtime assembly attack circumvents network-layer defenses. A user, operating without browser-level protection, visits a malicious site. They are first shown a CAPTCHA, an evasion trick that hides the attacker's intent from security crawlers. After solving it, a fake login page or a "browser update" prompt appears. With just one click, the machine is compromised.

Upon examining the example code, we see that the attacker never delivered a full payload all at once. Instead, they encoded it, split it into many small, benign-looking fragments, and sent them separately. These fragments are stitched together and executed inside the browser at runtime.

Behind the scenes, the page utilizes a runtime assembly technique. First, the page loads ten tiny files. Each file is just a list of numbers (character codes). At runtime, the page executes a single line of code, converting the numbers back into characters, then glues the ten pieces together and stores the result in full_snippet. Then, the dangerous part occurs: the JavaScript calls eval(full_snippet), which executes the hidden code, such as a fake login form or a pop-up.

Network defenses, even with real-time analysis, cannot detect this attack. They only see the harmless, individual pieces in transit. Stopping this attack requires protection at the browser level, where the assembly occurs, the exact visibility layer provided by Advanced Web Protection in Prisma Browser.

How Attackers Evolve to Evade Modern Detection

Attackers continue to refine their evasion techniques, evolving faster than network defenses can detect or respond. They employ cloaking, encryption, and content morphing techniques to conceal malicious behavior, preventing automated scanners from accurately classifying or blocking their activity.

The consequences of a successful web-based attack can include:

• Data Exfiltration: Stealing sensitive data, such as credentials or financial details.
• System Compromise: Gaining control of the system, enabling further attacks.
• Operational Disruption: Interrupting normal business operations via malware infections, unauthorized access, or command-and-control callbacks from uninspected web traffic.

Key Benefits of Prisma Browser with Advanced Web Protection

• AI-Powered Protection: Natively built-in AI stops web attacks that assemble or reveal their malicious nature only inside the browser.
• Comprehensive Traffic Inspection: Scans browser-generated web traffic in real time, with inspection performed natively inside the browser.
• No Decryption Dependency: Protection is provided without any dependency on network-level SSL decryption.
• Total Device Coverage: Protection is extended to both enterprise-controlled managed devices and personal unmanaged devices.

How Advanced Web Protection Neutralizes Modern Web Threats:

• Live Page Scanning: Performs real-time analysis of content as it renders in the browser to prevent patient zero.
• In-Browser Runtime-Assembly Detection: Identifies and blocks runtime-assembly attacks, such as fragmented JavaScript that creates malicious pop-ups or executes other harmful actions.
• Cloaking and Evasion Prevention: Neutralizes sophisticated phishing attacks, even those hidden behind CAPTCHA challenges, by analyzing page behavior at the exact moment of user interaction.
• Encrypted Channel Inspection: Detects and blocks malicious content delivered over undecryptable channels, such as highly regulated URL categories (e.g., finance, healthcare), that standard gateways cannot decrypt.
• Blending with Benign: Identifies and blocks malicious JavaScript, pop-ups, and web skimmers that have been secretly injected into compromised websites.

As browser-based attacks become increasingly sophisticated, detection must move closer to where threats originate and execute. Advanced Web Protection brings that visibility and control directly into Prisma Browser, enabling organizations to detect, analyze, and prevent evasive attacks in real-time. 

For more information on how Advanced Web Protection integrates with Prisma Browser, visit the Palo Alto Networks LIVEcommunity YouTube channel and watch Advanced Web Protection: Runtime Assembly Attack.