Today’s online applications are complicated, combining current software, open-source and third-party code, as well as bespoke JavaScript and HTML, all of which are integrated through application programme interfaces (APIs).
While web apps are hosted and maintained on a company’s server, they are really run through a browser by the end user. ‘Client-side scripts’ refer to the scripts that execute the apps. These scripts create a highly dynamic environment that allows for a high level of functionality while also facilitating a high level of risk, as the combination of potentially flawed or vulnerable systems, servers, codes, and applications provides the ideal environment for threat actors to use in client-side attacks.
What are client-side assaults, and how do they work?
Client-side attacks happen when a user unwittingly downloads malicious or susceptible material from a server, frequently by simply clicking on a link and filling out a form. That material might be in the form of poor JavaScript code or potentially dangerous third-party code included in the online application.
Client-side refers to end-user devices such as desktops, laptops, mobile phones, and tablets, which are referred to as ‘clients.’ ‘Servers,’ on the other hand, are the systems to which the devices are linked. Client devices make requests to the server, which the server fulfills. Client devices typically submit requests to numerous distinct servers when using the internet, and servers typically handle multiple client devices at the same time.
Standard security methods will not protect the end user from harmful behavior occurring on dynamic web pages visited from the end user’s own device since client-side activity occurs outside a business’s security perimeter.
What are the most prevalent security threats on the client side?
Unmitigated vulnerabilities in organizational systems can lead to potentially serious assaults on the client side—that is, on the consumers or end users of an organization. E-skimming, Magecart-like threats, and formjacking are examples of these sorts of assaults.
The Open Web Application Security Project® (OWASP) identifies 12 client-side security issues that businesses must address to avoid attacks:
DOM (Document Object Model) -based Cross-site Scripting (sometimes known as ‘cross-site scripting’ or ‘XSS’) is a website vulnerability that allows an attacker to insert malicious code into the HTML pages that are presented to visitors. If the malicious code is run by the victim’s browser, it can steal credit card information or confidential passwords, among other things.
JavaScript Injection – This vulnerability is a subtype of XSS in which malicious JavaScript code is injected and executed by the end user’s browser application. JavaScript injunctions can be used to change what the user sees, steal the user’s session data, or impersonate the user.
HTML Injection—Another sort of cross-site scripting attack, an HTML injection involves inserting HTML code into weak areas of a website. HTML injection is typically used to alter the design of a website or the content shown on it.
Client-side URL Redirection, also known as Open Redirection, is a form of attack in which a web application takes untrusted input including a URL value that allows the web application to redirect the user to another, most likely malicious website controlled by the attacker.
CSS Injection—Attackers inject arbitrary CSS code into a website, which is subsequently displayed in the browser of the end user. Depending on the type of CSS payload used, the attack might result in cross-site scripting, UI changes, or the exfiltration of sensitive data such as credit card information.
Client-side Resource Manipulation—This vulnerability allows the threat actor to manipulate the URL that connects to other web page resources, allowing cross-site scripting assaults.
CORS (Cross-origin Resource Sharing) — Cross-origin attacks such as cross-site request forgery can be facilitated by poorly implemented CORS rules (CSRF).
Cross-site Flashing—Because Flash programmes are frequently embedded in browsers, cross-site scripting attacks might be enabled by faults or vulnerabilities in the Flash application. A threat actor uses several web page frame layers to deceive a user into clicking a button or link on a different page than the one intended in a clickjacking or UI Redress attack. This method can also be used to intercept keystrokes. A threat actor can fool a user into thinking they’re inputting login credentials or bank account information into a genuine website by employing stylesheets, iframes, and text boxes, when they’re actually typing into a frame controlled by the attacker.
WebSockets—A range of attack methods, including as sniffing, cross-site web socket hijacking (CSWH), and cross-site request forgery, are conceivable if servers do not correctly check the provenance of an initial HTTP web socket server (CSRF).
Web Messaging—Also known as cross-document messaging, web messaging allows apps from different domains to safely interact with one another. Problems with redirection or the website leaking important information to unknown or malicious servers may emerge if the receiving domain is not specified.
Local Storage—Also known as web storage or offline storage, local storage allows JavaScript sites and applications to save and retrieve data without having to worry about it expiring. As a result, data saved in the browser will remain accessible even after the browser window has been closed. A cross-site scripting attack might take all of the data from the storage because it can be accessed using JavaScript. JavaScript might potentially be used to load malicious material.
How to defend against client-side threats and assaults
Organizations should keep an eye out for odd script activity at all times to identify possible threats and safeguard their consumers from client-side assaults. While testing can help reach this aim, the procedure is time intensive and needs specialized knowledge. The easiest method to speed up the monitoring process is to employ security software created specifically for this purpose. Tools like Inspector enable firms to automatically find and report on online assets and data access with AT&T Managed Vulnerability Program’s Client-side Security powered by Feroot. It also detects client-side security flaws and offers targeted threat mitigation to guarantee that clients are safe.ThePageGuard solution from Feroot is built on the Zero Trust principle and operates in the background to detect and stop unauthorized, anomalous, or malicious scripts and code actions.
Organizations are being asked to engage with security professionals to create technologies that continually detect and guard against attackers, since these assaults are expanding on a regular basis. The MVP team may analyze and monitor customer web applications for dangerous JavaScript code that could affect customer and organization security using these services provided by AT&T’s Managed Vulnerability Program (MVP) and Feroot.