A “Client-Side Attack” occurs when a user (the client) downloads malicious code from the server, which is then interpreted and rendered by the client browser. The classic example of such an attack is Cross-Site Scripting, which has been a staple of the OWASP Top Ten since its inception. These flaws are pervasive. A 2019 report from Feroot CX Security and Privacy, the 2019 Feroot User Security and Privacy Report concluded that the hidden activities of third-party tools and scripts expose up to 97% of organizations to theft of customer data. More recently, the 2021 Hacker Report showed significant year over year increases in reported web-related security vulnerabilities and that 96% of hackers are working on hacking web applications.
Sadly, these figures are far from surprising. According to that same 2019 Feroot report, modern web applications load an average of 21 third-party scripts as part of the user experience. This integration of third-party code creates a software supply chain that is assembled and executed on the client’s machine in near real time. The risk that one or more of the included scripts has been tampered with by threat actors at any given point in time is real and can have significant consequences as many organizations impacted by “web skimming” or “Magecart” attacks have learned. These attacks occur when an attacker inserts malicious script code, or a reference to include such code, into a payment or other transactional page. The code is downloaded and executed on the client browser which typically sends a copy of the sensitive information to a location of the attacker’s choice. Because of the subtle nature of these campaigns, they can be difficult to detect. For example, Warner Music recently disclosed that a number of the company’s on-line stores had fallen victim to such a campaign that lasted for several months.They are not alone. Many companies have been impacted by such campaigns and given the surge of online transactions as a result of the COVID-19 pandemic, it is no surprise that threat actor groups are increasingly focused on exploitation and monetization of such vulnerabilities.
Even in the absence of malicious intent, simple human error can result in security impacting disclosures. If developers are passing sensitive details in the URL parameters or the page title of a web resource, analytics platforms may receive those elements. These may include usernames, credentials, or other information that could be considered Personally Identifiable Information (PII). Legitimate scripts may collect sensitive data from the website for analysis without the full understanding of the developers or security teams responsible for site operations. If the third-party script provider is hosting operations internationally then the data may be routed to geographies that are of concern.
Traditional approaches to securing web applications and their supporting infrastructure are useful but fall short of addressing most client-side security risks. Endpoint security solutions are likewise useful, but do not extend to addressing the issues discussed here.
Regardless, since it is the reputation of the enterprise on the line, relying on a client to self-secure is a not a viable strategy even if there were a solution in that space. Given the nature of these issues, how can security professionals guard against them in their environment? The following are things to consider:
Educate developers: Training developers on security related issues is already occurring to some degree in most organizations. Incorporate the concept of third-party script inclusion as a dynamic attack surface and provide some targeted awareness training around the resulting risks.
Implement Runtime Application Self-Protection (RASP) solutions: Embedding a RASP solution into the code authored by your organization can provide highly accurate abilities to identify when other third-party embedded scripts attempt to take unsafe actions and prevent it from occurring.
Attack surfaces evolve, and as security professionals our solutions to address ensure the confidentiality, integrity and availability of enterprise operations must keep pace. If you would like to do a quick check on your web application to see if you have client-side application risks to be concerned with, our partner Feroot Privacy has made a free self-assessment tool available on their website at https://www.feroot.com/