Skip to main content

Client Side Attacks are Defined

Published on:
.
13 min read
.
For German Version

It seems strange to consider that the Internet was a different world not so long ago. A site containing static text content marked up in HTML and delivered with a few image files; is typically accessed by a small community of people with specific interests. The modern Internet user requires a dynamic and responsive user experience that is tailored to their interests. A global collection of alternatives, localized and accessible on demand. Although several developments in platforms and networking have contributed to this growth, the ability to execute script code in the browser is arguably the most significant in terms of user utility and potential security vulnerabilities.

Client-side attacks that reveal the end user's and his or her system's vulnerabilities are one of the greatest hazards that users face today. The number of client-side attacks has risen considerably over the past five years, prompting the SANS Institute to declare that client-side assaults are historically one of the most serious Internet security flaws.

A "Client-Side Attack" occurs when a client downloads malicious code from a server, which is then parsed and presented by the client browser.

In this article, we are going to deep dive into the client-side attack types and their impacts and prevention methods.

What is Client Side Attack?

A client-side attack is a compromise of security that occurs on the client side. Examples of client-side attacks include the installation of malware on your device and the theft of your financial details via unauthorized websites. A popular client-side attack is a denial of service(DoS) attack, which floods a system with requests and impedes its operation. For instance, you would be refused access to your bank's website if you attempted to log in using an outdated browser and plugin. Data manipulation is another popular client-side attack, such as altering your bank balance without your consent. In contrast, positive client-side security measures, such as multifactor authentication(MFA) and encryption should be implemented to avoid a security compromise on the client side. Computers should ideally only be linked to trustworthy networks and devices with the appropriate security fixes installed. As they require access to your device, client-side assaults are more difficult to avoid, but they can be limited by taking the necessary precautions beforehand.

Why Are Client-Side Attacks Successful?

This client-side attack is growing increasingly prevalent among virtually everyone with an email account and who receives emails. This might eventually result in a phishing attack. This sort of attack exploits a user's faith in a website to illegally gain sensitive information, such as login passwords and bank account information. These attacks are successful because the user is provided with a fake, yet extremely authentic-appearing website, typically via SPAM, that looks to originate from a reputable organization, such as a bank. However, the website that the user is directed to is under the control of an adversary, and when the user submits private information, such as personal data, the adversary will have gotten this information. Sometimes you may be routed directly to a malicious website, and other times you may be forwarded via a script.

In this article, we will examine Client-side assaults. It is preferable to acquire access to a target machine using server-side attacks, such as searching for vulnerabilities in installed apps or the operating system. If attackers are unable to locate the exploit, or if the target is concealed behind an IP or utilizing a covert network, they will employ client-side attacks in this instance. Client-side attacks need the user to act, such as downloading a picture, opening a link, or installing an update, which then executes the malicious code on the user's computer. To conduct an effective client-side attack, attackers must be aware of the victim's friends, the network and websites they utilize, and the websites they trust. When gathering information for a client-side attack, attackers concentrate on the individual, not their programs or operating system. Client-side attacks are more likely to be successful than server-side attacks.

What are the Motivations Behind Client-Side Attacks?

To properly defend against cyber attacks, it is necessary to comprehend the intent and reason behind each attack. Even if the techniques and objectives of cyber attacks are diverse, the six most common reasons for client-side attacks may be described as follows.

  • A Political Or Social Statement: Hackers can launch attacks to criticize governments, politicians, society, major corporations, and current events. When they disagree with their targets, they often attack them by disrupting their websites. Compared to other categories of attackers, they are less technically proficient and more likely to employ pre-made tools to assault their targets.

  • Adrenaline Seekers: This group is mostly composed of teenagers seeking an adrenaline rush or venting their anger or frustration against organizations (such as schools) or individuals they feel to be wrong. In addition, some individuals crave attention and esteem from their peers. Companies generally disregard radical hacking since it does not concern financial matters.

  • Financial Gain: Financial gain is the most common reason for an organization's being targeted. Almost three-quarters of cyberattacks are primarily motivated by monetary gains, such as stealing money directly from financial accounts, obtaining credit card information, creating data breaches, demanding ransoms, etc. After refusing to pay the ransom and caving to the blackmailers' threats, a great number of businesses went down.

  • Intellectual Challenge: Similar to radical hacking, this group commits cyberattacks in an attempt to get the attention and admiration of their peers by testing network security. This sort of hacker conforms to the cliche of the socially awkward hermit who lives in a virtual world and hacks for the intellectual challenge and adrenaline rush of breaking into a network.

  • Business Competition: DDoS attacks are being utilized as a tactic for business competition. Some of these assaults are aimed to prevent rivals from participating in important events, while others aim to shut down internet enterprises completely for months. In either case, the objective is to cause disruption, entice competitors' customers to join one's side, and cause financial and reputational harm.

  • Cyberwarfare: Cyberwarfare is a fight against the Internet and the flow of information. State-sponsored cyberattacks are used to silence government critics and internal dissent, as well as to undermine vital financial, health, and infrastructure services in hostile nations. These assaults are supported by nation-states, indicating that they are well-funded and well-planned operations carried out by tech-savvy personnel.

What Types of Impact Does a Client Side Attack Have?

Most frequently, client-side hacks result in the loss of consumer data, a tarnished corporate brand, and compliance and regulatory fines. On the dark web, credit data and sensitive personally identifiable information (PII), such as birthdates and social security numbers, are traded in conjunction with names. In addition, regulatory penalties for failing to detect or prevent internet assaults and breaches have a negative impact on the firm.

Last but not least, Google may blocklist unprotected websites that include malware or suspicious code. This entails Google labeling the website as "suspicious" and displaying a message to the user stating, "This site may harm your computer."

The impact of the Client Side Attacks can be grouped into 3 main categories:

  1. Confidentiality Impact: Cookies are unlikely to serve as an attack vector against a web client. However, they are a high-priority target for attackers, as a cookie whose goal is to identify the client would aid attempts to hijack a session and impersonate a client. Webmail clients, for example, employ cookies to identify a user at a later date, so the user does not need to enter their credentials each time they wish to access their email. If an attacker gains access to the cookie, he or she can get illegal access to the email account.

Additionally, attackers have access to the browser history and cache. The browser stores visited web pages in its cache and browser history while the user navigates the Internet. If an attacker gains access to the cache or browser history, information such as the email provider or bank a user employs can be extrapolated and exploited in later assaults, such as phishing and cookie stealing. Cache and browser history may be retrieved using browser vulnerabilities, JavaScript, CSS, and the examination of visited link colors and timing attacks.

Another attack that compromises confidentiality is phishing, a social engineering attack. Social engineering attacks utilize the innate human propensity to trust. In a phishing attack, the user's confidence in a website is used to illegally obtain private information, such as passwords and bank account information (KYE - Phishing). These web-based client-side assaults show the user a fake website, which is typically pushed via spam email and pretends to be from a reputable organization, such as a bank. However, the website is in actuality under the control of the attacker, and if the user submits sensitive information to the website, the attacker will have gotten this information.

  1. Integrity Impacts: In the context of web-based client-side attacks, a loss of integrity typically allows an attacker to run arbitrary code on the client system. Cross-site/domain/zone scripting, drive-by-pharming, virus hosting, and drive-by-download threats are outlined.

Cross-site, cross-domain, and cross-zone scripting is a vulnerability of websites that allows the execution of inserted code in the security context of that page when a user visits such a website. The injected code might be used to steal information, but it could also allow the execution of arbitrary code on the client if, for example, the web page is a trusted website inside the context of the web browser.

Drive-by pharming is a web-based client-side attack that modifies the DNS settings of a user's router by luring the user to a malicious website. These attacks do not directly compromise the integrity of the client system, but rather the network components on which it relies.

Malware hosting is another sort of attack that compromises the client's integrity. In this attack scenario, the malicious website hosts malware and employs social engineering to convince the user to download and execute it.

  1. Availability Impacts: Some client-side attacks try to use all or a portion of the client's resources, so hindering or stopping the client from providing a service regularly. These threats consist of simple crashes, popup floods, browser hijacking, network flooding, Web SPAM/junk pages, and click fraud websites. These types of cyber attacks have an influence on availability.

What are the Types of Client-Side Attacks

The most common and harmful types of client-side attacks are listed and explained below:

  • Cookies: Cookies are simple text values kept in the user's browser, so you may modify them directly or via the document without any further protection. The JavaScript cookie attribute. Fortunately, such easy attacks are uncommon in current web development, as session management and other cookie-related actions are often performed at the framework level. The objective of all cookie-based attacks against user sessions is to convince the web server that the attacker is the authorized user. Here is a concise summary:

    • Session Hijacking: Session hijacking, also known as cookie hijacking or side-jacking, is an attack in which an attacker takes control of a logged-in user's session on a website. Session hijacking exploit requires the attacker to be familiar with the current session cookie.
    • Session Spoofing: Similar to session hijacking, session spoofing occurs when the user is not logged in. Attackers use stolen or fabricated session tokens to establish a new session and impersonate the authorized user without the user's intervention.
    • Session Fixation: The attacker provides the session identification (through a phishing email, for instance) and convinces the victim to sign in to a susceptible website using this identifier. If the site permits this, then the attacker can hijack the user's session by utilizing the known identification.

  • AutoComplete and Browser History: In many apps, when the user inputs credentials, the browser prompts them to save the password in a pop-up. The browser saves the password and automatically inputs it when re-accessing the same applies if the user hits "Remember password". The function is useful for users because they do not need to remember and input the password, but it causes an issue when used on a shared or public computer. An attacker can simply get the browser's saved password. Even if the saved passwords are encrypted or secured by a master password (a password to access the stored passwords), an attacker can get this password by simply accessing the application for which it is stored in the browser. When an attacker inputs a username, the browser populates the password box automatically. An attacker can use a proxy tool such as Burp to intercept the request sent to the server and retrieve the clear text or encrypted password.

    When a user submits data, either a GET request or a POST request is sent to the server. In a GET request, the user data is contained inside the URL, but in a POST request, the user data is contained within the request body. The two images below illustrate user data in GET and POST queries.

    All GET requests made by the browser are kept in the browser's cache and history. Checking the browser's history allows access to this information even if the user is signed out or the browser is closed. An attacker access this information by inspecting the browser's history if an application communicates sensitive information about a user via a GET request, i.e. via URL.

  • Clipboard Attacks: The clipboard hijacking attack transfers a URL to the clipboard of a computer. Frequently, this link cannot be removed unless the machine is rebooted. The malicious clipboard content is an apparently harmless link to a website to which the user is routed. This website promotes a product that appears to be antivirus software but is actually spyware software. This practice is known as malvertisement, a combination of the phrases "malevolent" and "advertisement." The insidious element of this assault is that this URL is accidentally pasted from the clipboard along with any text, so users unwittingly disseminate it by putting it into their email, blog posts and comments, documents, and other places where text may be pasted.

  • Social Engineering: This client-side attack is growing increasingly prevalent among virtually everyone with an email account and who receives emails. This might eventually result in a phishing attack. This sort of attack exploits a user's faith in a website to illegally gain sensitive information, such as login passwords and bank account information. These assaults are successful because the user is provided with a fake, yet extremely authentic-appearing website, typically via spam, that looks to originate from a reputable organization, such as a bank. However, the website that the user is directed to is under the control of an adversary, and when the user submits private information, such as personal data, the adversary will have gotten this information. Sometimes you are routed directly to a malicious website, and other times you are forwarded via a script.

  • Client Scanning: Recently, however, client-side scanning has provided thieves with more ransomware attack possibilities. Malware makers can still utilize the fact that anti-malware software constantly scans your computer for dangerous apps to their advantage. A scan is a network research tool used in ethical hacking to locate the systems linked to an organization's network. It lists the accessible systems, services, and resources on a target system. Some may call this sort of scan an "active scan," since it has the ability to disrupt services on vulnerable hosts. Scanning is frequently performed during vulnerability assessment while investigating current defenses for flaws. There are two scanning methods:

    • Active Scanning
    • Passive Scanning Scanning is not limited to port scanning, but port scanning is a vital component of this procedure. Scanning identifies open ports on the target system, which may be used for port mapping, establishing an interactive session with the operating system via these ports, or even diverting traffic from these open ports.

  • Cross-Site Scripting: It permits an attacker to run scripts in the victim's web browser, which are used to intercept user sessions, deface websites, introduce hostile material, conduct phishing attacks, and take control of the victim's web browser using scripting malware.

    All frameworks for web application development are vulnerable to this vulnerability. The exploit commonly employs HTML or JavaScript, although any programming language supported by the victim's browser, such as VBScript, ActiveX, JavaTM, or Flash, is a viable target for this attack. The following are examples of Cross-Site Scripting(XSS) attacks:

    • Non-persistent: Requires a user to view a link containing harmful code that has been carefully constructed. The user's web browser executes the code encoded in the URL when the user clicks on the link.
    • Persistent: Stores harmful code on a website for an extended length of time. Message board postings, online mail communications, and web chat software are typical targets of persistent cross-site scripting attacks by an attacker.

  • Drive-by-Pharming: Drive-by pharming is a sort of external assault on a local network that targets a weak IP router or similar hardware device. According to specialists in Web security, it is simple for hackers to attack tiny IP networks locally and reroute user traffic or enter systems with malware.

    In drive-by pharming, the attack design is frequently based on the factory settings of the majority of consumer-sold routers. Many of these routers include factory-default passwords for access control. This security vulnerability may be exploited by hackers to insert malicious JavaScript (JS) code that redirects URLs and takes users to dangerous websites. This form of assault is typical of low-end routers and equipment from more advanced hardware manufacturers, such as Cisco.

    Drive-by pharming is referred to as pharming, as opposed to phishing, which is another frequent kind of hacking. Pharming is the use of URL hijacking to obtain sensitive information.

    According to experts, drive-by pharming is capable of concurrently impacting several local networks. In other words, it is less labor-intensive than other forms of hacking.

  • Malware: Malware is an umbrella term for malicious computer programs that are designed to inflict damage and exploit weaknesses in a system, service, or computer network.

    Cyber Security Ventures estimates that worldwide cybercrime will cost $10.5 trillion annually by 2025. This number not only illustrates the size of the cybercrime sector as a whole but also demonstrates how much it has grown.

    Malware and other infections will continue to wreak havoc unless there is a global agreement to improve consumer awareness and encourage the cybersecurity sector. Many instances of malware and breaches in cybersecurity may be avoided. Unfortunately, the majority of individuals and even businesses do not prioritize their digital security. Inconvenience ensues in the form of data loss, service interruptions, privacy violations, loss of competitive advantage, and financial loss, among other things.

  • Denial-of-Service (DoS): Denial-of-service (DoS) attacks occur when malevolent cyber threat actors block authorized users from accessing information systems, devices, or other network resources. Email servers, websites, online accounts, and other services dependent on the hacked system or network might be interrupted. A denial-of-service attack is carried out by overwhelming the targeted host or network with traffic until it is unable to respond or simply fails, hence denying access to authorized users. DoS attacks may cost a business both time and money due to the inaccessibility of its resources and services.

    The primary objective of a DoS attack is to overwhelm the capacity of a targeted system, hence denying subsequent service requests. Typical denial of service attacks employs TCP and UDP packets. In a Denial of Service (DoS) attack, the attackers overwhelm the victim's system with illegal traffic or service requests in order to prohibit it from executing its intended duties.

  • Pop-Ups and Pop-Unders: Pop-ups are likely familiar to everyone who uses the internet. If you have access to email, you are likely familiar with spam. In general, these obnoxious advertisements are attempting to sell you something. There are a few straightforward steps you can take immediately to prevent pop-ups and subsequent spyware infections:

    • Avoid clicking, even to close pop-ups. Instead, you can close pop-ups with a right-click from the system tray.
    • Regularly update your operating system
    • Enhance your browser's security configuration
    • Avoid suspicious websites

What is the Most Common Form of Client-Side Attack?

The following are the most typical forms of client-side attacks:

  • Spoofing is the practice of convincing a user that a website or server is real.

  • Cross-site scripting (XSS) is a vulnerability that enables an attacker to execute code from within the user's web browser.

What are OWASP Top 10 Client-Side Security Risks?

Client-side applications are frequently a complex combination of custom HTML, CSS, and JavaScript, utilizing numerous third-party libraries that are both served by the custom application and frequently integrated with third-party services that provide their own custom code and libraries into the same client-side application. All of this operates on the customer's browser in the wild, rather than on servers owned, maintained, and protected by the application owner. In addition to the initial server hosting the server application and supplying the essential pieces of the client-side JavaScript application to the user's browser, browser apps commonly interact with many servers.

The following list is the Candidate list of the OWASP Top Ten Client-side Security Risks:

  1. Client-side Access Control Failure: Inadequate control of JavaScript access to client-side resources (data and code), exfiltration of sensitive data, or malicious alteration of the DOM (to access those assets). Similar to OWASP Top 10: A01-2021 - Broken Access Control, but with a concentration on client-side code.

  2. XSS based on DOM: Vulnerabilities that enable XSS attacks via DOM misuse or modification.

  3. Sensitive Data Leakage: Inability to identify or block digital trackers and pixels across a website to guarantee compliance with national and international privacy rules.

  4. Vulnerable and Obsolete Elements: Absence of identification and upgrades for obsolete JavaScript libraries with known vulnerabilities. Similar to OWASP Top 10: A06-2021 - Vulnerable and Outdated Components, but with a concentration on client-side libraries.

  5. Absence of External Origin Control: Origin control enables the limitation of specific online assets and resources by comparing the origin of the resource to that of the third-party library. Without such safeguards, the insertion of unknown or unmanaged third-party code that has access to the site's origin raises supply chain risk.

  6. JavaScript Drift: Inability to identify modifications at the asset and code levels of client-side JavaScript. This includes the inability to identify changes in the code's behavior in order to assess whether the changes are possibly harmful. This is especially crucial for external libraries.

  7. Store Sensitive Data Client-Side: Storage of sensitive data such as passwords, crypto secrets, API tokens, or personally identifiable information (PII) in persistent client-side storage such as LocalStorage, browser cache, or transient storage such as JavaScript variables in the data layer.

  8. Errors in Client-Side Security Logging and Monitoring: Inadequate real-time monitoring and detection of client-side changes and data accesses, including failures and mistakes, when each page is constructed and performed using both first-party and third-party code. Similar to OWASP Top 10: A09-2021 - Security Logging and Monitoring Failures, but with a client-side focus.

  9. Failing to Employ Standard Browser Security Controls: Not using basic standards-based security measures provided in browsers, such as iframe sandboxes and security headers such as Content Security Policy (CSP), subresource integrity, and many other common security features.

  10. Including Confidential Data Client-Side: Client-side code or stored data including sensitive business logic, developer comments, proprietary algorithms, or system information.

How to Prevent Client Side Attacks?

To identify possible threats and safeguard clients from client-side attacks, enterprises must constantly monitor suspicious script behavior. While testing can accomplish this objective, it can be time-consuming and requires specialized knowledge. Utilizing security technologies created specifically for this task is the most efficient approach to speed up the monitoring process.

To prevent client-side attacks, you must be diligent and practice security across the whole deployment process, including application development, infrastructure, desktop environment, and mobile devices.

Utilizing Zenarmor is one of the best protection methods for client-side attacks. With Zenarmor, you can easily filter your application and web content. Zenarmor developed by Sunny Valley Networks is a robust, enterprise-class content filtering engine that identifies and blocks advanced malware and extremely complex attacks. You can try and use the free edition Zenarmor forever.

Zenarmor: Security Control Settings

Figure 1: Zenarmor: Security Control Settings

While there are numerous third-party technologies and tools for assessing and mitigating client-side risks, there are only a few fundamental strategies: browser security (CSP/SRI), behavioral detection, JavaScript analyzers, client-side data protection, and client-side data protection and privacy enforcement.

  • Browser Protection: The browser provides security layers that Dev/Sec/Ops teams may implement: Content Security Policies and Subresource Integrity (SRI).

    • Content Security Policies (CSP): CSP is a programming language for specifying website functionality constraints. Policies are designed to impose restrictions on the admission of material (e.g., photos, scripts) from a certain set of origins. CSP-enabled web browsers apply these regulations page-by-page on the client side. They are used to limit the danger of content injection vulnerabilities (JavaScript, CSS) and to regulate the rights with which online applications run.
    • Subresource Integrity (SRI): SRI can be used to secure website content if an attacker gains control of web files and attempts to make harmful modifications. Subresource Integrity can determine if JavaScript has been modified based on hashes. The attacker might still put dangerous code into a file, but the browser would not load it. SRIs are useful for static websites and/or pages where JavaScript, including web supply chain code, is unlikely to change.

  • Behavior Monitoring: Some client-side security strategies concentrate on identifying possible client-side threats and notifying the Dev/Sec/Ops teams. These tools give telemetry to aid in troubleshooting and possible resolution of the issue. This strategy entails instrumenting, evaluating, and establishing baselines for regular web page behavior over some time, and then notifying teams of baseline deviations that may indicate abnormal (i.e., hacker) behavior. After an assault has been examined and validated, these tools can assist in the formulation and implementation of security rules, which frequently necessitate the creation of Content Security Policies (CSPs). Developer evaluation and testing are necessary given the possible negative consequences a CSP can have on the overall functioning of a website and the already deployed CSP code.

  • JavaScript's Security Analyzers: JavaScript security analyzers are security tools that evaluate client-side apps' source code. Analyzers can test for exploitable JavaScript security vulnerabilities, implementation flaws, configuration mistakes, and other threats. The online supply chain is a critical blind area for analysts.

  • Client-side Data Protection: This strategy places a premium on proactive data security based on an awareness of external domains and partners. For permitted external domains, web application limits, including the web supply chain, are set up front. Typically, this is achieved via allow lists. Client-side browser monitoring is then used to verify that web and mobile browsers only send content and data to certain domains. The key benefits of this strategy are its quick time-to-protect, ease of usage (non-development resources), and simplicity of maintenance.

  • Client-side Data Protection and Privacy Enforcement: Building on the data protection strategy, more modern solutions not only secure data and content from data theft but also enable the establishment of more detailed data sharing rules to further restrict the categories of data (e.g., payment, social security number) that may be shared with approved vendors. This enables businesses to adhere to data protection standards, such as the CCPA, GDPR, and PCI DSS, as well as to customer privacy preferences.

Last updated on by Zenarmor