The biggest risk of a client-side attack is a major data breach. In 2022, the average total cost of a data breach, including fines and recovery costs, tops $4.35 million. And in highly regulated industries like healthcare and financial services, the cost can be much higher.
Security is not a static business. Hackers innovate and continuously move to exploit the point of least resistance, and increasingly, the path of least resistance is client-side application or browser based attacks. In this article, we’ll outline how client-side security vulnerabilities can leave organizations open to attack, and a few tools and best practices businesses can leverage to defend themselves.
What are client-side attacks?
There are two main components to a website or app: server and client. The server side stores code and data and processes operations and requests. The client side is where the web application comes together and is rendered within a browser.
Traditionally, hackers have targeted the server side, employing methods designed to break in and steal assets. Over time, organizations have leveraged origin-focused security products to safeguard data and assets, but cybercriminals are continuously moving to exploit the point of least resistance. Therefore, they have since turned their attention to a different target: the application or web browser that runs on the endpoint or client. Hackers are exploiting client-side weaknesses to steal sensitive and financial customer data for sale on the dark web.
The browser is the client.
Approximately 50 percent of the world’s Internet traffic is delivered through a web browser. The browser interprets and runs this code to deliver the experience when the user accesses the website.
When visiting a website, you see text, pictures and videos and have the ability to create accounts, browse catalogs, customize products, make purchase accounts and more. Much of the website functionality relies on browser capabilities, with the web browser bringing together website code and processing this code into a highly immersive experience.
The web supply chain is a mashup of third-party code that comes from technology partners (e.g., ecommerce platform) and third-party service scripts (e.g., analytics, chat bot, marketing). The web supply chain enhances the customer experience by adding important features. Keep in mind, however, that as partner technologies and services are added, so are thousands of pieces of third-party code. Each piece represents an increase of your attack service. The risk is further compounded when recognizing that many of these third parties have few resources dedicated to security.
A breach on a single piece of web supply chain code can covertly send malicious code down the supply chain into your website. And these pieces of third-party code have the same level of content and data access as the code built by your developers.
With the average website using 50-60 third-party components, hackers scour codebases and scripts looking for vulnerabilities and then target any organization making use of them. For example, the hacker group Magecart made its name after finding vulnerabilities in the popular component Magento, a component used by many thousands of online stores. By injecting rogue script code into this popular library, customer data was siphoned when users visited any of the online stores which utilized the component.
What a single piece of malware code can do
Hackers have a wealth of open source, first-party and third-party codebases to target. A single piece of malware code tucked into the many thousands of lines of code can cascade across many organizations and customer bases. This was witnessed firsthand in 2018 when a hacker took control of a popular codebase called Event-Stream and injected malware into it designed to steal Bitcoin. This library turned out to be used by hundreds of thousands of businesses around the globe, leaving them vulnerable to criminal activity because of the usage of the component.
Common types of client-side data theft attacks
Hackers use web skimming attacks to steal user data by injecting malware into a web page, often via a compromised third-party script, which will then target sources of personal data such as cookies, general page data, or HTML forms.
How to address client-side risks
The browser adds layers of security that can be implemented by Dev/Sec/Ops teams – Content Security Policies and Subresource Integrity (SRI).
Content Security Policies (CSP)
- Browser support – CSPs are supported by all major browsers, though at varying levels. You can review supported CSP functionality across browsers here
- Proper configuration and efficacy – CSPs are no different than code and require specialized knowledge to design, create, test and maintain. Testing is critical given that CSPs can dramatically impact the functionality and performance of a web application. In fact, more than 92 percent of websites that use CSPs in enforcement mode are still vulnerable to content injection attacks according to research by University of Venice
- Maintenance – on-going maintenance of CSPs are required as new browsers and CSP standards are released. Changes to web application functionality and embedded partner services also impact CSP capabilities
- Staffing – CSP-based security can be constrained by development resources, skill sets, priorities and release cycles
Subresource Integrity (SRI)
Some client-side security approaches focus on detecting potential client-side attacks and alerting Dev/Sec/Ops teams. These tools provide telemetry to help troubleshoot and possibly remedy the situation. This approach involves instrumenting, analyzing and baselining normal web page behavior over a period of time and alerting teams to baseline variances that could suggest unusual (i.e., hacker) behavior. After an attack has been investigated and confirmed, these tools can facilitate development and deployment of security rules, often requiring the development of Content Security Policies (CSPs). Developer review and testing is required given the harmful effects a CSP can potentially have on overall website functionality and already deployed CSP code.
Client-side data protection
This approach prioritizes proactive data protection based on an understanding of external domains and partners. Web application boundaries, including the web supply chain, are established up front for approved external domains. This is typically accomplished through allowlists. Client-side monitoring of the browser is then put in place to ensure browsers, web and mobile variants, only exchange content and data with these domains. The major advantages to this approach are fast time-to-protect, ease of use (non-development resources) and ease of maintaining.
Client-side data protection and privacy enforcement
Building on the data protection approach, more advanced tools not only safeguard data and content against data theft, but also allow for the definition of more granular data sharing rules to further restrict the types of data (e.g., payment, social security number) that can be exchanged with allow-listed vendors. This allows companies to enforce user privacy preferences as well as comply with data protection regulations, such as the CCPA, GDPR and PCI DSS.
CHEQ’s Go-to-Market Security platform enables organizations to implement a client-side data protection and privacy enforcement approach.