The biggest risk of a client-side attack is a major data breach. According to the Ponemon 2020 Data Breach Cost Study, the average data breach fines and recovery costs total at $3.86 million on average. The costs escalate in more highly regulated industries such as Healthcare and Financial Services.
Hackers innovate and continuously move to exploit the point of least resistance. The web browser has increasingly come under attack and requires organizations to extend their approach out to the web browser to mitigate risks.
What are client-side attacks?
There are two main components to a website or app: server and client. The server side stores code and data and processes operations and requests. The client side is where the web application comes together and is rendered within a browser.
Traditionally, hackers have targeted the server side, employing methods designed to break in and steal assets. Over time, organizations have leveraged origin-focused security products to safeguard data and assets, but cybercriminals are continuously moving to exploit the point of least resistance. Therefore, they have since turned their attention to a different target: the application or web browser that runs on the endpoint or client. Hackers are exploiting client-side weaknesses to steal sensitive and financial customer data for sale on the dark web.
The browser is the client
Approximately 50 percent of the world’s Internet traffic is delivered through a web browser. The browser interprets and runs this code to deliver the experience when the user accesses the website.
When visiting a website, you see text, pictures and videos and have the ability to create accounts, browse catalogs, customize products, make purchase accounts and more. Much of the website functionality relies on browser capabilities, with the web browser bringing together website code and processing this code into a highly immersive experience.
The web supply chain is a mashup of third-party code that comes from technology partners (e.g., ecommerce platform) and third-party service scripts (e.g., analytics, chat bot, marketing). The web supply chain enhances the customer experience by adding important features. Keep in mind, however, that as partner technologies and services are added, so are thousands of pieces of third-party code. Each piece represents an increase of your attack service. The risk is further compounded when recognizing that many of these third parties have few resources dedicated to security.
A breach on a single piece of web supply chain code can covertly send malicious code down the supply chain into your website. And these pieces of third-party code have the same level of content and data access as the code built by your developers.
With the average website using 50-60 third-party components, hackers scour codebases and scripts looking for vulnerabilities and then target any organization making use of them. For example, the hacker group Magecart made its name after finding vulnerabilities in the popular component Magento, a component used by many thousands of online stores. By injecting rogue script code into this popular library, customer data was siphoned when users visited any of the online stores which utilized the component.
What a single piece of malware code can do
Hackers have a wealth of open source, first-party and third-party codebases to target. A single piece of malware code tucked into the many thousands of lines of code can cascade across many organizations and customer bases. This was witnessed firsthand in 2018 when a hacker took control of a popular codebase called Event-Stream and injected malware into it designed to steal Bitcoin. This library turned out to be used by hundreds of thousands of businesses around the globe, leaving them vulnerable to criminal activity because of the usage of the component.
Common types of client-side data theft attacks
The most common type of client-side attack is web skimming, an attack method used by hacker groups such as Magecart. The below video explains how a web skimming attack can take place.
How to address client-side risks
The browser adds layers of security that can be implemented by Dev/Sec/Ops teams – Content Security Policies and Subresource Integrity (SRI).
Content Security Policies (CSP)
- Browser support – CSPs are supported by all major browsers, though at varying levels. You can review supported CSP functionality across browsers here
- Proper configuration and efficacy – CSPs are no different than code and require specialized knowledge to design, create, test and maintain. Testing is critical given that CSPs can dramatically impact the functionality and performance of a web application. In fact, more than 92 percent of websites that use CSPs in enforcement mode are still vulnerable to content injection attacks according to research by University of Venice
- Maintenance – on-going maintenance of CSPs are required as new browsers and CSP standards are released. Changes to web application functionality and embedded partner services also impact CSP capabilities
- Staffing – CSP-based security can be constrained by development resources, skill sets, priorities and release cycles
Subresource Integrity (SRI)
Some client-side security approaches focus on detecting potential client-side attacks and alerting Dev/Sec/Ops teams. These tools provide telemetry to help troubleshoot and possibly remedy the situation. This approach involves instrumenting, analyzing and baselining normal web page behavior over a period of time and alerting teams to baseline variances that could suggest unusual (i.e., hacker) behavior. After an attack has been investigated and confirmed, these tools can facilitate development and deployment of security rules, often requiring the development of Content Security Policies (CSPs). Developer review and testing is required given the harmful effects a CSP can potentially have on overall website functionality and already deployed CSP code.
Client-side data protection
This approach prioritizes proactive data protection based on an understanding of external domains and partners. Web application boundaries, including the web supply chain, are established up front for approved external domains. This is typically accomplished through allowlists. Client-side monitoring of the browser is then put in place to ensure browsers, web and mobile variants, only exchange content and data with these domains. The major advantages to this approach are fast time-to-protect, ease of use (non-development resources) and ease of maintaining.
Client-side data protection and privacy enforcement
Building on the data protection approach, more advanced tools not only safeguard data and content against data theft, but also allow for the definition of more granular data sharing rules to further restrict the types of data (e.g., payment, social security number) that can be exchanged with allow-listed vendors. This allows companies to enforce user privacy preferences as well as comply with data protection regulations, such as the CCPA, GDPR and PCI DSS.
The Ensighten platform enables organizations to implement a client-side data protection and privacy enforcement approach. Learn more about the Ensighten platform.
Watch this video to learn how Ensighten prevents common client-side data breach methods, such as web skimming.