It is not unusual for browser-side or client-side security to get less than its fair share of attention from understaffed IT teams battling a rising number of attacks and a constantly evolving threat landscape.
Uri Dorot, Senior Security Solutions Lead at Radware, says that historically server-side attacks have drawn more attention from cyber security officers and web application firewall vendors because they’ve been the primary focus of malicious actors. However, this is changing quickly as hackers look to exploit client-side blind spots and unmonitored areas for gain.
The application architecture and environment have changed in recent years. The application’s perimeter is no longer easy to define. Not only are applications scattered across multiple environments, but they also rely on dozens of connections to third-party services that generate much of the application content on the browser or client side.
This is what we call the application supply chain, and it is on the radar of opportunistic actors with malicious intent.
If client-side protection is not a major part of a modern security strategy, it is a mistake that will eventually come at a price. To increase their security posture, organisations should make sure their application protection solutions cover the following seven common client-side threats.
- Broken access control
Broken access control is a security threat that leaves the door open for malicious actors to use JavaScript to exfiltrate sensitive data, such as login credentials or cached app data that is housed on the client side.
It can also include manipulation of the document object model (DOM) to gain access to client-side data. A designated client-side protection tool can protect against both types of attack.
- DOM-based XSS attacks
A DOM-based XSS (cross-site scripting) attack is a vulnerability that malicious actors use to inject malicious JavaScript payloads into an organisation’s web page via its DOM environment. Ultimately, it allows threat actors to take over users’ accounts.
These types of attacks are difficult to detect on the server side, which is why it’s important that a client-side protection solution is deployed.
- Data leakage
Data leakage is as ominous as it sounds. It occurs when data leaks out of an organisation to unauthorised destinations and falls into the hands of malicious actors.
Leaked data, personally identifiable information (PII) that’s exposed or stolen by malicious actors, can also be used later by hackers to access and take control of users’ accounts.
Leaked data can result in breaches, identity theft, credential stuffing, ransomware and more. An effective client-side protection solution blocks data from being transferred through an applications browser side to unknown destinations or known destinations with illegitimate parameters.
- No third-party origin control
Origin control allows cybersecurity professionals to restrict certain resources or assets by looking at their origins and comparing them to the origin of third-party libraries.
Lack of proper origin control increases the risk that an unknown and uncontrolled third-party code will access data in the application. A client-side protection solution worth its weight automatically uncovers third-party services, provides detailed activity tracking, and blocks unvetted origins to ensure that only the right third-party code has appropriate access to the application network.
- JavaScript tracking
Being able to track changes in JavaScript is critically important to protecting websites or applications that are interactive.
Developers use libraries and third-party tools that can be a breeding ground for JavaScript vulnerabilities, especially those created by smaller, independent developers or companies that often don’t have the time or resources to monitor and update their code on a regular basis. If a protection solution cannot identify code-level JavaScript changes on the client side, malicious intent might not be detected until it’s too late.
- Client-side data storage
A lot of sensitive end-user data can be stored on the client side in LocalStorage, browser cache, and transient storage like JavaScript variables.
It’s important that a client-side protection solution is advanced enough to protect stored data against theft and restrict the type of data that can be accessed and shared by vendors. This is especially important for organisations that must comply with data security requirements, such as the General Data Protection Regulation.
Client-side browser monitoring is important to ensure data and content are only exchanged or shared with predetermined domains.
- No standard browser security controls
Attackers are opportunists. They are looking for ways to exploit weak security configurations and poor security controls. Unfortunately, not all browsers adhere to the same security standards and share common standards-based security controls, such as iframe sandboxes, sub resource integrity, and others.
A good client-side protection solution can detect and prevent digital trackers and pixels across web properties.
By protecting against these seven client-side threats, organisations can prevent their end users from being exposed to third-party services that are embedded in applications over which they lack visibility and control.
Today’s applications load on average 20-25 third-party scripts during each user session which is why client-side protection should not be pushed to the back burner. It must be a part of an overall security posture.
Without client-side protection, organisations are flying blind and their application supply chain is left open to attack. It’s not by chance that the latest Payment Card Industry Data Security Standard (PCI DSS 4.0) is requiring organisations to make a best-effort to have client-side protection measures in place starting March 31, 2024, and as a mandatory prerequisite for certification after March 31, 2025.