In today’s world, businesses, economies, and lives are connected by a complex spider web of code and software applications. This code and these applications drive e-commerce, financial transactions, and data input. They impact our ability to quickly transfer money from one account to another, to fill out an online mortgage application, and to order supplies from a vendor.
The code that drives these systems is complicated. If something can go wrong, it will.
The important thing to understand about software code isn’t that it’s not perfect. It’s that hackers and attackers are actively looking for vulnerable code to exploit. And increasingly, they’re looking for vulnerable code on the ‘client side.’
Modern websites and the software that drives them carry risk. Any customer—be it an individual consumer or another business—that wants to conduct a transaction via a website is going to expect a seamless and safe user experience with minimal or no risk. The first step in protecting customers is making sure that entry point into your business—the client slide—is as secure as it possibly can be.
Introducing: The Ultimate Guide to Client-Side Security
I would like to invite you to read our e-book to get a broad overview of client-side security and how you can protect your organizations from client-side threats. In this e-book, we offer businesses a comprehensive look at client-side security and the type of attacks that are increasingly targeting businesses that deliver products and services through the client side. The security gap around the client side is growing and organizations need to be prepared to secure their front-end operations if they want to ensure business growth and customer safety. The unique client-side attack surface requires a specific and dedicated security approach that is different from traditional server-side security. Protecting the client-side means understanding and acknowledging the risks and taking appropriate action to protect any person or business that comes in contact with client-side operations.
Get The Ultimate Guide to Client-Side Security for free.
Highlights from The Ultimate Guide to Client-Side Security
The Importance of Client-Side Security
- Consumers today expect a seamless and safe website experience, with minimal or no risk.
- The client side is the entry point for all web interactions and must be made as secure as possible.
- As companies expand investment in the end-user digital experience, client-side attacks have been increasing in both size and cost. This creates a unique opportunity for threat actors to take advantage of end-user activities.
- Client-side security protects end users from incidents, vulnerabilities, and attacks that occur within an end user’s browser or “front end.”
The Dangers of JavaScript
- While JavaScript is the most commonly used code for client-side web behavioral elements, it is also extremely vulnerable to attack, since it is easy for hackers and other threat actors to input query strings into forms to access, steal, or contaminate protected data.
- JavaScript risk is further complicated by the fact that it does not have security permissions built into it.
- Many websites are assembled using third- and fourth-party JavaScript code that is not vetted and may contain unintentional vulnerabilities or intentionally malicious code that can easily facilitate client-side attacks.
The Front End (Client Side) Must Be Protected
- The front end or “client side” drives the user experience—from graphics and colors to buttons, forms, and navigation menus.
- Front-end/client-side frameworks include:
- Angular JS
- React JS
- Bootstrap
- jQuery
- Front-end logic is becoming more prevalent in order to fully facilitate the end user’s digital journey.
- As front-end logic becomes more common, threat actors are targeting it to identify additional ways to maliciously engage with businesses and end users.
The Dangers of Third-Party Scripts
- When building websites and web functionality, developers rarely write code from scratch. Instead, they leverage pre-written code pulled from open-source communities, such as GitHub.
- A modern web application contains, on average, over 20 third- and fourth-party scripts as part of the user experience.
- In addition to offering ready-made functionality, third- and fourth-party code also gives developers access to the creativity and ingenuity of other developers.
- Unfortunately, vulnerabilities and coding errors are common in third- and fourth-party scripts. Many flaws are unintentional, but present risk, nonetheless. Others are intentional and malicious, with threat actors often purposely creating vulnerable and dangerous code and then promoting it to unsuspecting developers.
Risks Related to Authentication and Authorization
- Many processes, such as authentication and authorization that previously existed on the heavily protected server side, have moved to the less protected and more vulnerable client side.
- Broken access controls are one of the biggest risks to web applications today and currently reside in the number one spot in the OWASP Top 10.
Common Client-Side Threats
- The client-side threats targeting organizations today include:
- Cross-Site Scripting (XSS)
- DOM-Based XSS
- Directory Traversal or Path Traversal
- E-skimming
- Magecart
- E-commerce Platform Skimming
- Drive-by Web Skimming
- Trusted Cloud-hosted Platform Skimming
- Anti-forensic, Self-cleaning, and Stealth Data Skimming
- JavaScript Injection
- SQL Injection
- XML Entity Injection
- Formjacking
- Sideloading & Chainloading
- JavaScript Sniffing
- Broken Link Hijacking
- Server-Side Request Forgery
- Cross-Site Request Forgery
Industries at Risk
- Industries at risk for client-side attacks, particularly e-skimming, include:
- Financial Services and Banking
- Insurance
- Healthcare and Medical
- E-commerce and Retail
- Travel and Hospitality
- Communications, Social Media, and Content Producers
- Cryptocurrency Exchanges and Blockchain
- Real Estate
- Technology and Cybersecurity
- Distribution and Transportation
- Education
- Entertainment
Security Approaches for JavaScript and Client-Side Attacks
- Cyber defense frameworks that can help defend and mitigate threats and attacks include Lockheed Martin’s Cyber Kill ChainTM.
- Seven primary tools are used to secure the client side:
- Web application firewalls (WAFs)
- Content security policies (CSPs)
- Penetration testing and assessments (vulnerability and security)
- Client-side vulnerability scanning
- Code scramblers and obfuscators
- Client-side attack surface monitoring
- JavaScript security permissions
- Each of these seven tools presents both benefits and downsides to the client-side security process. Unfortunately, a number of these tools are time consuming to manage and not particularly effective when it comes to providing comprehensive protection.
- The two most beneficial, secure, and easy-to-manage, client-side security tools are client-side attack surface monitoring and JavaScript security permissions.
Threat Detection & Prevention on the Client-Side
- To maximize detection and protection, organizations are encouraged to develop an inventory of web assets and document all scripts that operate on a website or within web applications.
- Organizations are also encouraged to review code and processes for vulnerabilities and misconfigurations, perform assessments on scripts and code loaded into the browser, and regularly test web applications.
- Priority detection and prevention tips include the use of security control integrity monitoring and change detection automation systems, as well as the implementation of client-side intrusion detection solutions.
- Organizations are also encouraged to apply a layered security strategy or ‘defense-in-depth’ to websites and web applications.
The Importance of Collaboration
- Cybersecurity professionals should work with all business teams, particularly application development, marketing, privacy & compliance, and product security (as applicable) to:
- Build strong relationships.
- Promote a secure business mission, remove friction in the customer journey, and facilitate success for the business.
- Understand current or emerging privacy trends or regulations and apply them within a cybersecurity context.
- Develop a strong security architecture.
Recovering from a Client-Side Attack
- If a breach happens, organizations are advised to:
- Calmly and logically assess the threat/attack.
- Contain the breach.
- Investigate the situation.
- Shut down/block any malware, malicious scripts, or backdoors.
- Identify the point of origin for the attack.
- Engage fully in the recovery process.
- To prepare for future attacks, organizations should:
- Learn as much as they can about the types of threats and the attack environment.
- Scan for and identify vulnerabilities.
- Regularly test defenses.
I hope that the e-book helps you build a broad understanding of client-side security and how you can protect your business from cross-site scripting (XSS), Magecart, formjacking, DOM XSS, and the many other cyberthreats attacking the front end of your web applications. Get the e-book for free here: link
