Client side view of web security

The translation of the article was prepared in anticipation of the start of the course "Web Application Security" .








In this article, the first of three, we will look at web security threats and also talk about how client-side security tools deal with the often overlooked class of cyber attacks, an example of which is Magecart . It describes traditional web security threat defense techniques that are based on client-side standards such as content security policy and sub-resource integrity. These evolving approaches are viewed in the context of a representative client-side security platform.



Introduction



Perhaps the cornerstone of cybersecurity as a professional discipline is its continuous fluidity. That is, as soon as cyber attacks arise that affect the confidentiality, integrity or accessibility of certain Internet resources, appropriate solutions are developed to eliminate them. As soon as these solutions are integrated into the infrastructure of the compromised resource, new cyberattacks appear, new solutions are invented and the cycle closes.



In some cases, cyber defensive solutions have mechanisms that anticipate new forms of malicious attacks - and when this works, security risks can be avoided in a variety of scenarios. For example, two-factor authentication was created as a measure against password guessing, and is now an important security component in the development of new communication protocols between IoT devices .



Nowhere is the process of emerging and overcoming threats more evident than in the area of ​​web security, also called web application security. Given that valuable assets are most often processed and managed using web interfaces, the value of web exploits continues to grow. One of the consequences of this growth is that despite the many technologies for protecting web resources, the gap between the number of attacks and the level of protection is growing.



The main premise behind this technical article series is a web security gap that arises from the fact that most applications run in modern browsers. The web security community has long recognized the need to deploy functional elements to protect against server-side vulnerabilities that distribute static and content to clients. However, too little attention has been paid to client-side security, which is equally attractive to attackers but largely ignored by today's security infrastructure.



In this three-part series, we want to bridge this gap. In the first part, we will talk about the most common cyber attacks on websites. In the second part, we will look at the web security solutions that are most often deployed in production today. And in Part 3, we'll explore how a representative client-side security solution can help find vulnerabilities in your infrastructure that could be exploited by attackers.



Common website attacks



In the mid-90s of the last century, along with the ideas of Tim Berners-Lee from the level of hypertext transfer protocols and markup languages ​​to the Internet protocol (IP), there were also means of attacking the infrastructures, systems and applications that make up the so-called web or network (web). It was then that the discipline of web security was born, which can be defined as the set of protective measures necessary to manage the security risks of network computing.



As you might expect, the taxonomy of web security issues has evolved rapidly in different directions, but the early stages focused on preventing denial of service attacks, securing the hosting infrastructure, and ensuring the free flow of online content to users. Such attention to accessibility issues was dictated by the fact that if the website does not work or does not work as it should, then electronic transactions will not be able to go through safely, which has obvious consequences for making a profit.



In addition to the problems at the infrastructure level, the consideration has been developed that problems at the application level can also have serious consequences, in particular for customers who visit a website. Thus was born the so-calledthreat in the field of network security , which has evolved from a small issue to a large security problem. Even today, finding a vulnerable web application is easy enough.



In the past few years, a standard set of attack strategies has emerged that are extremely difficult to suppress. The intrusiveness of these problems stems from the complexity of the development of many web applications and the relative inexperience and ignorance of many network administrators. Below we outline four strategies that lead to vulnerabilities in e-commerce infrastructure and pose challenges for many companies and their security teams.



Cross Site Scripting (XSS)



The most common attack at the application level is cross-site scripting, or simply XSS . At its core, a cross-site attack is a technique called injection, which is when an attacker finds a way to embed a third-party script into a site and make it work. The end goal is for the target web application to send the attacker code to the user's browser without the latter's knowledge. An XSS attack works best when a website accepts, processes, and uses input without much verification.



The ultimate goal is to inject code into someone else’s browser. A compromised user expects all incoming scripts to be safe, as all dynamic content came from a visited and supposedly reliable website. The user's browser will execute this code, often in JavaScript, thus revealing to the attacker confidential information such as session tokens or cookies. XSS code can also redirect the user to an infected site.





Figure 1. Schematic of an XSS attack



Organizations such as the Open Web Application Security Project ( OWASP) offer various protections against XSS attacks. Their recommendations, many of which are still ignored by practitioners, include meaningful coding and web administration procedures that improve the handling of user input. Most of them suggest better server-side input validation, which is a welcome security measure and should be present in any network ecosystem.



Injection of content and advertising



Recently, attacks related to injection of content and advertising, known as malvertising, have become increasingly common . This trend, however, should not come as a surprise given the rise of the online advertising ecosystem as a driving force in today's business. It is estimated that online advertising is currently reaching $ 100 billion. Hackers and criminals are aware of this trend and take advantage of the vulnerabilities available.



The principle of operation of malvertisingSimilar to XSS: Attackers find a way to inject their code into websites through legitimate ad networks. The goal is also similar to XSS, in that it is to redirect visitors from one site to another targeted site with malicious code, which is the mainstay of any attack, such as, for example, credential theft.



Some people talk about the injection process as a drive-by download . This term refers to a user who views ads in a browser with a vulnerability (which, unfortunately, is a very common scenario). When a user interacts with an advertisement, a redirect occurs, which results in malware reaching an unsuspecting site visitor.





Figure 2. Drive-By Download via Malvertising

The traditional solution to this problem is to use a control such as a web application firewall (WAF). WAF will be configured to use signature or behavioral analysis to stop malicious code from being executed from untrusted sources. As with XSS, this server-side protection is commonly used in advertising ecosystems as a primary control element. The described approach is applicable to malvertising , but will not work against all forms of attacks.



Magecart



The hacker group Magecart arose a few years ago, starting to terrorize websites with attacks such as card skimming. Usually, hacker groups appear and disappear quickly enough, however, Magecart has long been unnerving the sites and web applications of companies. A large number of organizations were affected by hacks, and security solutions were not obvious to most victims.



Attack man-in-the-middlefrom Magicart is simple enough: first, the malicious code is added to the JavaScript code that is sent from the server to the client. The malicious code then tracks down and collects sensitive data, such as credit card information from users who visit the site through their browser. The data is sent to a malicious site and illegally uploaded. Everything is very simple.





Figure 3. Skimming cards from Magicart



However, the main problem is that the usual server-side security does not take into account the man-in-the-browser ( MITB ) attack , since it occurs on the client side. For example, Web Application Firewalls ( WAF) do not see JavaScript actions and do not have a library scan for code injection. When an attack comes from third-party sites, the result is cascading, and what is called piggy-backing happens .






Learn more about the course.







All Articles