Top 12 client-side security threats

Today’s web applications are complex, often made up of a mix of existing software, open-source and third-party code, and custom JavaScript and HTML all integrated via application program interfaces (APIs).

While web applications are hosted and maintained on an organization’s server, they actually run on an end user’s browser. The scripts that run the applications are referred to as ‘client-side scripts.’ These scripts create an incredibly dynamic environment that enable a high level of functionality, but also facilitate tremendous risk since the combination of potentially flawed or vulnerable systems, servers, codes, and applications creates the perfect scenario for threat actors to leverage in client-side attacks.

What are client-side attacks?

Client-side attacks occur when a user unintentionally downloads malicious or vulnerable content from a server, often by doing nothing more than simply clicking on a web page and filling out a form. That content could take the form of bad JavaScript code or unsafe third-party code that exists as part of the web application.

The term ‘client-side’ refers to end-user devices, like desktops, laptops, mobile phones, and tablets, which are considered ‘clients.’ Conversely, the systems that the devices are connected to are referred to as ‘servers.’ Client devices send requests to the server and the server responds to the request. Servers usually support multiple client devices at the same time, and client devices usually send requests to multiple different servers while operating on the internet.

Because client-side activity happens outside a business’s security perimeter, standard security technologies won’t protect the end user from malicious activity that is occurring on dynamic web pages accessed from the end user’s own device.

What are the most common client-side security risks?

Unmitigated risks present in organizational systems can lead to potentially severe attacks on the client side—that is, an organization’s customers or end users. These types of attacks include e-skimming, Magecart-like threats, and formjacking.

The Open Web Application Security Project® (OWASP) lists 12 client-side security risks that organizations need to ensure they’ve mitigated to prevent attacks:

1. Document Object Model (DOM)-based Cross-site Scripting—Sometimes also called just ‘cross-site scripting’ or ‘XSS’, this is a vulnerability that affects websites and enables an attacker to inject their own malicious code onto the HTML pages displayed to users. If the malicious code is executed by the victim’s browser, the code performs actions, such as stealing credit card information or sensitive credentials.
2. JavaScript Injection—This type of vulnerability is considered a subtype of XSS involving the injection of malicious JavaScript code executed by the end user’s browser application. JavaScript injunctions can be used to modify the content seen by the end user, to steal the user’s session cookies, or to impersonate the user.
3. Hypertext Markup Language (HTML) Injection—Another type of cross-site scripting attack, an HTML injection involves injecting HTML code via vulnerable sections of the website. Usually, the purpose of the HTML injection is to change the website’s design or information displayed on the website.
4. Client-side URL Redirection or Open Redirection—In this type of attack, an application accepts untrusted input that contains a URL value that causes the web application to redirect the user to another, likely malicious page controlled by the attacker.
5. Cascading Style Sheets (CSS) Injection—Attackers inject arbitrary CSS code into a website, which is then rendered in the end user’s browser. Depending on the type of CSS payload, the attack could lead to cross-site scripting, user interface (UI) modifications or the exfiltration of sensitive information, like credit card data.
6. Client-side Resource Manipulation—This type of vulnerability enables the threat actor to control the URL that links to other resources on the web page, thus enabling cross-site scripting attacks.
7. Cross-origin Resource Sharing (CORS)—Poorly configured CORS policies can facilitate cross-origin attacks like cross-site request forgery (CSRF).
8. Cross-site Flashing—Because Flash applications are often embedded in browsers, flaws or vulnerabilities in the Flash application could enable cross-site scripting attacks.
9. Clickjacking or UI Redress Attack—This type of attack involves a threat actor using multiple web page frame layers to trick a user into clicking a button or link on a different page from the one intended. Keystrokes can also be hijacked using this technique. By using stylesheets, iframes, and text boxes, a threat actor can trick the user into thinking they’re entering login credentials or bank account information into a legitimate website, when, in fact, they are actually typing into a frame controlled by the attacker.
10. WebSockets—If servers do not properly verify the origin of an initial HTTP web socket server, a variety of different attack types are possible, including sniffing, cross-site web socket hijacking (CSWH), and cross-site request forgery (CSRF).
11. Web Messaging—Also called cross-document messaging, web messaging enables applications running on different domains to communicate securely. If the receiving domain is not configured, problems could arise related to redirection or the website leaking sensitive information to unknown or malicious servers.
12. Local Storage—Sometimes called web storage or offline storage, local storage enables JavaScript sites and apps to store and access the data without any expiration date. Thus, data stored in the browser will be available even after closing the browser window. Since the storage can be read using JavaScript, a cross-site scripting attack could extract all the data from the storage. Malicious data could also be loaded via JavaScript.

How to protect from client-side risks and attacks

To identify potential risks and protect your customers from client-side attacks, organizations should monitor for suspicious script activity at all times. While testing can achieve this goal, the testing process can be time consuming and requires specific areas of expertise. The best way to expedite the monitoring process is to use security technology designed for just this activity. With LevelBlue Managed Vulnerability Program’s Client-side Security powered by Feroot, tools like Inspector help businesses automatically discover and report on web assets and data access. It also identifies client-side security vulnerabilities and provides specific threat remediation to ensure customers are protected.

Feroot’s PageGuard solution is based on the Zero Trust model and runs continuously in the background to automatically detect and block unauthorized, anomalous, or malicious scripts and code behaviors.

With these attacks increasing daily, organizations are urged to work with security experts to implement tools that continuously scan and protect from attackers. These services offered by LevelBlue’s Managed Vulnerability Program (MVP) and Feroot allow the MVP team to inspect and monitor customer web applications for malicious JavaScript code that could jeopardize customer and organization security.