Martin Johns

Primer on Client-Side Web Security

This volume illustrates the continuous arms race between attackers and defenders of the Web ecosystem by discussing a wide variety of attacks. In the first part of the book, the foundation of the Web ecosystem is briefly recapped and discussed. Based on this model, the assets of the Web ecosystem are identified, and the set of capabilities an attacker may have are enumerated. In the second part, an overview of the web security vulnerability landscape is constructed. Included are selections of the most representative attack techniques reported in great detail. In addition to descriptions of the most common mitigation techniques, this primer also surveys the research and standardization activities related to each of the attack techniques, and gives insights into the prevalence of those very attacks. Moreover, the book provides practitioners a set of best practices to gradually improve the security of their web-enabled services. Primer on Client-Side Web Security expresses insights into the future of web application security. It points out the challenges of securing the Web platform, opportunities for future research, and trends toward improving Web security.

Attacks on the Client Device

By directly attacking the client device, the attacker can gain control over the device, allowing him/her to manipulate the user’s actions, steal sensitive information or abuse the device for other activities, such as denial of service attacks. In this chapter, we discuss two important attack vectors. The first attack vector uses drive-by download techniques to exploit a memory corruption vulnerability in the client software, for example, a buffer overflow vulnerability in the browser. The second attack vector attacks the client device through a malicious browser extension, which is characterized by a high degree of control over the browser.

Attacks on the User’s Session

By attacking the user’s session, an attacker can gain control over an authenticated session, giving him the same level of access to the target application as the victim. Unfortunately, applications often deploy weak authentication systems and insufficiently protect authenticated sessions, thereby enabling these attacks. In this chapter, we cover two attacks that enable the attacker to transfer an authenticated session from the victim’s browser to his own: session-hijacking and Session fixation. In addition, we cover the impact of credential theft, a common attack that gives the attacker valid user credentials, allowing him to impersonate a user to the target application. Attacks on the user’s session are common, and are supported by various tools and attack frameworks.

Attacks on the Browser’s Requests

By attacking the browser’s requests, an attacker is able to trick the user’s browser into sending requests to a target application. Since these requests originate from the user’s browser, a vulnerable application is unable to distinguish them from legitimate requests, thus allowing the attacker to perform actions in the user’s name. The two most common ways of forging requests from the user’s browser are cross-site request forgery (CSRF), where requests are automatically sent by the browser, and UI redressing, where the user is tricked into interacting with a seemingly innocent page, while the interactions are actually sent to the target application. Real-life attacks on vulnerable applications have allowed attackers to transfer money from bank accounts, take over accounts through the password reset feature or secretly enable the webcam in the Flash player.

Attacks on the Client-Side Context

Using attacks on the client-side context, the attacker can gain control over the target application running in the user’s browser. This allows him to steal the user’s sensitive information and manipulate the user’s actions. From the Web application’s point of view, these actions are indistinguishable from legitimate user actions. In this chapter, we investigate three ways of attacking the client-side context. The first is cross-site scripting (XSS), a very common and well-known attack, where the attacker injects JavaScript into the target application’s context. Second, we discuss scriptless attacks, which take the idea behind XSS, but use non-scripting technology to extract data or modify the application’s behavior. Finally, we investigate the dangers of remote script inclusions, which are ubiquitous on the Web, but prone to compromise.

Traditional Building Blocks of the Web

Traditional Web applications seem vastly different from modern applications, which thrive on technological advances with dynamic content loading, background processing, and continuous data feeds. However, under the hood, these modern applications still rely on the same building blocks used by traditional applications. This chapter briefly introduces these building blocks as required background knowledge, followed by a discussion of several relevant client-side features. These include the browser’s security policies, which are all the more important today, the client-side extensibility features using plugins and browser extensions, and browser features aimed at enhancing the user experience, such as security indicators and private browsing modes.

Improving Client-Side Web Security

The previous chapters have covered a wide variety of attacks, which over the chapters came closer and closer to the user himself, eventually leading to the compromise of the browser and client device. In this chapter, we compile an overview of the best practices scattered throughout the previous chapters, resulting in a practical guide for securing Web applications in the modern age Web. We also look into the crucial role of research in Web security and identify future research challenges.

The Browser as a Platform

The browser is the single, most valuable tool for enabling users to access the Web. Browser vendors realize this, which is why domination in the browser market share has been a high-stakes game since the 1990s. In this chapter, we take a look at how browsers can be found on numerous devices today, including mobile devices and smart appliances. We investigate how the browser evolved from a static rendering engine into a full-featured Web application platform, offering Web applications access to local storage facilities, sensor information, communication mechanisms, and more. Finally, we discuss Firefox OS and Google’s Chrome OS that have given the browser the status of an operating system.

The Relevance of Client-Side Web Security

The Web has evolved from a static distributed hypertext system into a rich application platform, where the browser is capable of running highly dynamic client-side applications, which merely depend on backend server-side services for data storage. We observe a similar trend within the field of Web security, where more responsibilities are pushed towards the client side. Security mechanisms have evolved from default browser policies that are the same for all applications to server-driven security policies composed at the server side and enforced at the client side. This chapter briefly sketches the trends in the evolution of the Web and the parallels in the field of Web security. We introduce a social networking example scenario that will serve as a working example throughout this book. Finally, we provide a reader’s guide for the intended target audiences, which include students, teachers, trainers, researchers, developers, and security practitioners.

How Attackers Threaten the Web

Since the Web is an important application platform, it is a high profile target for attackers. Different attackers have different capabilities, and certain vulnerabilities require a specific set of capabilities to be exploited. These capabilities are generally captured in a threat model, describing what an attacker can and cannot do. In this chapter, we provide an overview of the relevant academic threat models for the Web. Since these models are often highly tailored to a specific problem statement and solution, their slight differences make it difficult to compare threat models. Therefore, we decompose every threat model into concrete attacker capabilities, enabling a conceptual comparison of the threat models.