• Home
  • /Learn
  • /Reviewing the OWASP Top 10 Client-Side Risks
background image

Blog

Reviewing the OWASP Top 10 Client-Side Risks

certification

Preventing adversaries from gaining unauthorized access to IT infrastructure where they can steal, ransom, or destroy sensitive data, or cause critical service disruptions is paramount. Initial access can be gained using a wide array of tactics and techniques but among the most common initial access vectors are phishing and drive-by-compromise. These two tactics make up over half of incidents leading to initial access. Both tactics are client-side attacks that target normal end-users. 

Spam and phishing attacks are effective enough to compromise some users, but an estimated 88% of organizations face more targeted spear phishing attacks per year. Cybersecurity firm Norton estimates that over 800,000 end-users could be hacked per year.

User awareness training can prevent many attacks before they start, but humans are considered the weakest link to building resilient cybersecurity defenses. Considering the risk that someone within an organization will click on a link to open a malicious webpage or open an attacker-supplied document, IT defenders need to consider the specific vulnerabilities that client-side attacks seek to exploit. 

In this article, we will evaluate OWASP's summary of the most risky "client-side" vulnerabilities. This will include a fundamental review of the client/server architectural paradigm and define what is meant by the term "client-side attack". Finally, we will examine each item in the OWASP Top 10 Client-Side Risks for insight into the most pressing client-side security concerns. 

A Primer On Client/Server Architecture

A common paradigm for IT network architecture is the client/server model which categorizes devices as either a "client" or "server" according to their role in an IT service connection. Clients are systems operated by end-users usually have a graphical user interface (GUI), while servers store, process, and provide access to data and services. In this model, clients typically connect to servers to access data and services. For example, when using the Internet, or sending or receiving email, the user's device is the client, and the system hosting website or email data is the server.

Admittedly this is only the most simplified view of how modern IT networks operate. Variations such as the peer-to-peer (P2P) model, where devices can act as both clients and servers and the microservices architecture, which decomposes server functionality into smaller, more specialized services are also important for a holistic understanding of modern IT service architecture.

What Are Client-Side Attacks?

A "client-side attack" is a cyberattack that targets the software or applications running on a "client" computer - a  "regular user's computer". In client-side attacks, the attacker exploits the user's behavior to have their malicious code executed by the victim which itself seeks to exploit vulnerabilities in locally installed software.  However, a poorly designed or secured website can allow attackers to execute attacks on the website's visitors without having control of the website itself such as in Reflected or Stored Cross Site Scripting (XSS) attacks. 

Following the exploit trajectory, when a victim clicks on a malicious link the attacker-supplied code is designed to exploit a vulnerability in a user's web browser with the goal of gaining persistent access to the target system or stealing data from the victim. Other examples include opening a Microsoft Office document with malicious macros, and downloading a Trojan application or malicious browser extension from the internet believing it's benign.  All of these scenarios are client-side attacks.

The OWASP Top 10 Client-Side Risks

Before exploring each item in the OWASP Top Ten Client-Side Risks, it is important to point out that OWASP has limited the list to attacks against "browser-side applications". As mentioned above, browsers are not the only potential target of client-side attacks. That being said, let's run down OWASP's most critical risks to client-side browser exploitation.

  1. Broken Client-side Access Control: This refers to the inadequate control over JavaScript's access to client-side assets, including data and code. It involves the risk of unauthorized exfiltration of sensitive data or malicious manipulation of the Document Object Model (DOM) for illicit purposes. Essentially, it's akin to OWASP's "Broken Access Control" but specifically focuses on vulnerabilities in client-side code.

  2. DOM-based XSS: This category refers to vulnerabilities that enable Cross-Site Scripting (XSS) attacks through the manipulation or abuse of a web browser's Document Object Model (DOM). Such attacks allow malicious actors to inject and execute malicious scripts within the context of a user's web browser.

  3. Sensitive Data Leakage: This involves the failure to detect and prevent digital trackers and pixels deployed across a web property. Ensuring compliance with national and international privacy laws becomes challenging in the absence of effective data tracking controls. Leakage of sensitive user information can result from these shortcomings.

  4. Vulnerable and Outdated Components: This issue arises when there's a lack of mechanisms to detect and update outdated or known vulnerable JavaScript libraries and components. It's reminiscent of OWASP's "Vulnerable and Outdated Components," but specifically addresses the client-side libraries used in web applications.

  5. Lack of Third-party Origin Control: Origin control mechanisms are crucial for restricting access to web assets or resources by comparing their origin to that of third-party libraries. Without such controls, there's an increased risk in the supply chain, as unknown or uncontrolled third-party code can gain access to data within the site's origin.

  6. JavaScript Drift: This pertains to the inability to detect changes at the asset and code level of client-side JavaScript. It includes the failure to identify behavioral changes in this code, which could potentially be malicious. This is particularly significant when considering third-party libraries integrated into web applications.

  7. Sensitive Data Stored Client-Side: This refers to the storage of sensitive data such as passwords, cryptographic secrets, API tokens, or Personally Identifiable Information (PII) in persistent client-side storage, such as LocalStorage, browser cache, or transient storage like JavaScript variables in a data layer. Storing sensitive data in these locations can expose it to potential threats.

  8. Client-side Security Logging and Monitoring Failures: Inadequate monitoring and detection of client-side changes and data accesses, especially failures and errors, in real-time as web pages are assembled and executed. This includes scrutiny of both first-party and third-party code. It parallels OWASP's "Security Logging and Monitoring Failures" but focuses on client-side behavior.

  9. Not Using Standard Browser Security Controls: This points to the failure to leverage common standards-based security controls built into web browsers. Such controls may include iframe sandboxes and security headers like Content Security Policy (CSP) and subresource integrity. Neglecting these features can leave web applications more vulnerable to attacks.

  10. Including Proprietary Information on the Client-Side: This signifies the presence of sensitive business logic, developer comments, proprietary algorithms, or system information within client-side code or stored data. Exposing proprietary information on the client-side can risk intellectual property and security.

Mitigating Client-Side Attacks

Mitigating client-side attacks falls under the responsibility of both software developers to produce secure software that attackers can't leverage for client-side attacks and the owner of the endpoint itself to ensure it is secured. 

Application Security Testing (AST) and CI/CD security testing are critical activities for ensuring that software is free from vulnerabilities. Specialized security testing services exist for mobile apps and web applications

As for endpoint owners, mitigation should include implementing regular vulnerability management activities including vulnerability scanning and patch management to ensure that software on an endpoint is as secure as possible, installing anti-virus software to prevent known malware attacks, providing user-awareness training to reduce the likelihood of falling prey to phishing attacks, and in high-risk environments installing more advanced endpoint security solutions such as EDR. 

Secure Software Development

  • Develop Secure Code: Software developers play a crucial role in producing secure software. They must follow secure coding practices, adhere to industry standards, and stay updated on the latest security threats and vulnerabilities.

  • Security Testing: Application Security Testing (AST) and Continuous Integration/Continuous Deployment (CI/CD) security testing are critical activities. Regularly testing software for vulnerabilities during the development and deployment phases helps identify and address issues early in the software development lifecycle (SDLC).

End-Point Owner Responsibility

  • Vulnerability Scanning and Patch Management: End-point owners, including organizations and individuals, are responsible for maintaining the security of their devices. Conduct regular vulnerability scanning to identify weaknesses in the software and promptly apply patches and updates to eliminate known vulnerabilities.

  • Install Anti-Virus Software: Installing reputable anti-virus software can help prevent known malware attacks. Keep the anti-virus software up to date to ensure it can detect and block the latest threats effectively.

  • Provide Awareness Training: Educating end-users through user awareness training is crucial. Training programs should teach individuals to recognize phishing attempts, suspicious links, and potentially harmful email attachments. Users who are well-informed are less likely to fall prey to social engineering attacks.

  • Use Advanced Endpoint Security Solutions (EDR): In high-risk environments, such as organizations dealing with sensitive data, consider implementing more advanced endpoint security solutions like Endpoint Detection and Response (EDR) systems. EDR tools provide real-time monitoring, threat detection, and automated response capabilities, helping to mitigate advanced threats effectively.

Conclusion

The most common initial access vectors like phishing and drive-by-compromise predominantly target end-users and exploit client-side vulnerabilities. While user awareness training is crucial, software developers play an essential role and must release secure applications that protect users against reflected and stored XSS scripting attacks.  Organizations must ensure that security patches are applied quickly after release to mitigate client-side attack surfaces. 

The OWASP Top 10 Client-Side Risks represent the most common and critical security weaknesses affecting browser-side applications. These risks encompassed many concerns, from access control issues to data leakage, outdated components, and failure to leverage browser security controls. Each risk presented a unique challenge, necessitating tailored mitigation strategies.

Are you looking to take your organization's security posture to the next level? Download our Buyer's Guide today or reach out to our team for your free, zero-obligation quote.

Download our Free Buyer's Guide

Whether you are looking to complete Penetration Testing to manage risk, protect your data, comply with regulatory compliance standards or as a requirement for cyber insurance, selecting the right company is crucial.

Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.