Client-side web security perspective

Translation of the article prepared in advance of the start of the course Web Application Security.


In this article, the first of three, we will look at web security threats and also talk about how client-side security tools deal with the often overlooked class of cyber attacks, an example of which is Magecart. It describes traditional ways to protect against web security threats that are based on client-side standards, such as content security policies and integrity of sub-resources. These evolving approaches are seen in the context of a representative client-side security platform.

Introduction

Perhaps the cornerstone of cybersecurity as a professional discipline is its continuous variability. That is, as soon as cyber attacks arise that affect the confidentiality, integrity or accessibility of certain Internet resources, appropriate solutions are developed to eliminate them. As soon as these solutions are integrated into the infrastructure of the compromised resource, new cyberattacks appear, new solutions are invented and the cycle closes.

In some cases, defensive cyber solutions have mechanisms that anticipate new forms of malicious attacks – and in cases where this works, security risks can be avoided in many scenarios. For example, two-factor authentication was created as a measure against password guessing, and now it is an important component of improving security in the development of new communication protocols between devices Internet of Things.

Nowhere is the process of emerging and overcoming threats more obvious than in the field of web security, which is also called web application security. Given that valuable assets are most often processed and managed using web interfaces, the value of web exploits continues to grow. One of the consequences of this growth is that despite the many technologies for protecting web resources, the gap between the number of attacks and the level of protection is growing.

The main premise for creating this technical series of articles is a gap in the field of web security, which appears due to the fact that most applications run in modern browsers. The web security community has long recognized the need to deploy functional elements to protect against server-side vulnerabilities that distribute static and content to clients. However, too little attention is paid to client-side security, which is no less attractive to attackers, but is largely ignored by the modern security infrastructure.

In this three-part series, we want to bridge this gap. In the first part, we will talk about the most common cyber attacks on websites. In the second part, we will consider web security solutions that are most often deployed on production today. And in the third part, we will talk about how a representative client-side security solution can help you find vulnerabilities in the infrastructure that could be exploited by cybercriminals.

Common website attacks

In the mid 90s of the last century, simultaneously with Tim Berners-Lee ideas From the level of hypertext transfer protocols and markup languages ​​to the Internet protocol (IP), there are also means of attacking the infrastructures, systems and applications that make up the so-called web or network. Then such a discipline as web security was born, which can be defined as a set of protective measures necessary for risk management in the field of network computing security.

As you might expect, the taxonomy of web security issues has developed rapidly in different directions, but in the early stages the focus was on preventing denial of service attacks, protecting the hosting infrastructure, and ensuring a free flow of network content for users. Such attention to accessibility issues was dictated by the fact that if the website does not work or does not work as it should, then electronic transactions will not be able to go through safely, which has obvious consequences for making a profit.

In addition to problems at the infrastructure level, there has been a development that problems at the application level can also have serious consequences, in particular for customers who visit the website. So was born the so-called network security threat, which from a small question evolved into a big security task. Even today, finding a vulnerable web application is easy enough.

In the past few years, a standard set of attack strategies has emerged that are extremely difficult to suppress. The persistence of these problems is due to the complexity of developing many web applications, as well as the relative inexperience and ignorance of many network administrators. Below we describe four strategies that lead to vulnerabilities in the e-commerce infrastructure and create problems for many companies and their security teams.

Cross Site Scripting (XSS)

The most common attack at the application level is cross-site scripting or simply Xss. At its core, a cross-site attack carries such a method as injection – this is when an attacker finds a way to embed a third-party script into the site and make it work. The ultimate goal is for the targeted web application to send the attacker code to the user’s browser without the knowledge of the latter. An XSS attack works best when a website receives, processes, and uses input without much verification.

The ultimate goal is to inject code into someone else’s browser. A compromised user expects all incoming scripts to be safe, as all dynamic content came from a visited and supposedly reliable website. The user’s browser will execute this code, often in JavaScript, thus revealing to the attacker confidential information such as session tokens or cookies. XSS code can also redirect the user to an infected site.


Figure 1. XSS attack scheme

Organizations such as the Open Web Application Security Project (OWASP) offer various means of protection against XSS attacks. Their recommendations, many of which are still ignored by practitioners, include meaningful code writing and web resource administration procedures that improve the processing of data coming from users. Most of them suggest better server-side input validation, which is a welcome security measure and should be present in any network ecosystem.

Injection of content and advertising

Recently, attacks related to injecting content and advertising, known as malvertising. However, this trend should not be surprising, given the growing ecosystem of online advertising as a driving force for modern business. According to some estimates, the volume of online advertising currently reaches $ 100 billion. Hackers and criminals are aware of this trend and take advantage of available vulnerabilities.

Principle of operation malvertising similar to XSS: attackers find a way to embed their code on websites through legitimate ad networks. The goal is also similar to XSS, it is to redirect visitors from one site to another target site with malicious code, which is the main of any attack, such as, for example, identity theft.

Some talk about the injection process as drive-by download. This term refers to a user who views ads in a browser with a vulnerability (which, unfortunately, is a very common scenario). When a user interacts with an advertisement, a redirect occurs, as a result of which malware gets to an unsuspecting website visitor.


Figure 2. Drive-By Download via Malvertising

The traditional solution to this problem is to use a control such as a web application firewall (WAF). WAF will be configured to use signature-based or behavioral analysis to stop the execution of malicious code from untrusted sources. As with XSS, this server-side protection is commonly used in advertising ecosystems as a key control element. The described approach is applicable to malvertisingbut will not work against all forms of attacks.

Magecart

The hacker group Magecart arose several years ago, having begun to terrorize websites with such an attack as card skimming. Usually, hacker groups appear and disappear quickly enough, however, Magecart has long been unnerving the sites and web applications of companies. A large number of organizations were hacked, and security solutions were not obvious to most victims.

Attack man-in-the-middle from Magicart it’s easy to imagine: first, the malicious code is added to the JavaScript code, which is sent from the server to the client. Then the malicious code tracks and collects sensitive data, such as information about the credit cards of users who access the site through their browser. Data is sent to a malicious site and unlawfully downloaded. Everything is very simple.


Figure 3. Skimming cards from Magicart

However, the main problem is that normal server-side security does not account for an attack like man-in-the-browser (Mitb), since it occurs on the client side. For example, web application firewalls (WAF) do not see JavaScript actions and have no means of scanning libraries for injections of code. When the attack comes from third-party sites, the result is cascading, and what’s called piggy backing.


Learn more about the course.


Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *