Lecture_CSF_9

The document discusses the importance of client-side security in web applications, highlighting the risks associated with third-party scripts and client-side attacks such as Magecart and XSS. It outlines frameworks and strategies for preventing these attacks, including real-time monitoring and secure coding practices. Additionally, it emphasizes the need for user vigilance and developer responsibility in maintaining application security against various attack vectors.

Uploaded by

YERKE KUSSYM

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

2 views

Lecture_CSF_9

Uploaded by

YERKE KUSSYM

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 15

Cyber Security Fundamentals

Lecture 9
Client and Application Security

Mukasheva A.K., Ph.D, associate professor

School of Information Technology and Engineering, KBTU
Why do enterprises need to protect client-side security?
In modern times, web apps and pages load an average of more than 30 scripts from third-
partes at runtime on the user’s browser. Naturally, the potential for compromise via that
user’s device has been growing exponentially.
When relying on third-party code that’s integrated into the user experience almost in real-
time, it considerably opens the door for an attack to happen.
The organization that owns and operates the website that’s being viewed by the user does
not have control over the code or visibility into how the code is behaving at runtime. And,
considering the rise of online shopping, as more transactions are made online and more
sensitive data transverses networks as a result, the greater the incentive and opportunities
for client-side attacks.
How do client-side attacks happen?
Client-side attack examples

Some of the most relevant examples of client-side attacks

include Magecart web skimming attacks, where malicious actors
tamper with client-side payment forms to collect credit card
information and send it to their own servers, and customer
hijacking, where the user is diverted to another page.

The common goal of this method is to steal valuable information

from a webpage, computer, or server, especially sensitive
information such as credit card numbers. Enterprises like British
Airways and Ticketmaster are two of the thousands of victims.
Frameworks and regulations that ensure client-Side protection

There are available several key frameworks that provide information about client-side
vulnerabilities.

Cybersecurity
Regulatory
OWASP Framework
requirements
from NIST
Preventing client-side attacks
Considering the dynamic nature of the web and JavaScript itself, there are several security
aspects that must be taken into consideration to address client-side vulnerabilities.

Other client-side
Real-time Get visibility into
attack prevention
monitoring third-party scripts
strategies
Cross-Site Scripting (XSS)
The most common application-level web security attack is called cross-site scripting or
just XSS. A cross-site attack involves a technique known as injection – where the attacker
finds a way to get scripts running on a target website. The ultimate goal is for that targeted
web application to send the attacker’s code to some unknowing user’s browser. The XSS
attack works best when a website accepts, processes, and uses input without much
checking.
What is the danger of an XSS vulnerability?
How do client-side attacks happen?
Web application security
How to secure web applications

checking data for compliance with

protocol standards

traffic control based on neural networks

signature analysis; access control to

confidential data

protection against SQL injection

protection against cross-network

scripting (XSS)
How mobile devices and apps are being attacked

An attacker in
Malicious app the Server-side
Physical access Remote attacks
on the device communication attacks
channel

How to protect yourself

First and foremost, be careful not to leave your phone and tablet unattended in public
places. Be sure to set a password to unlock your device or enable biometric protection if
possible. Do not elevate privileges to administrative (jailbreak or root), disable displaying
notifications on the locked screen.
Attacks by malicious applications
There are several sources of such applications:
• Official app stores - Google Play and App Store. Rarely, but even in the official
marketplaces, you can find a malicious app that can harm you and your data. Often such
apps try to get more installations with clickbait titles like "Super Battery", "Turbo
Browser" or "Virus Cleaner 2019".
• Unofficial websites and app stores (third-party appstore). For Android devices, just allow
installation from untrusted sources and then download the app's apk file from the site.
For iOS devices, it is enough to follow the link in Safari browser, confirm the installation
of the certificate on the device, and then any application in this unofficial store will be
available for installation directly from the browser.
• The user can install an application downloaded from the Internet using a USB
connection.
• For Android devices, it is possible to download a part of the application by clicking on a
link - Google Play Instant mechanism.
Attacks in the communication channel
If an attacker manages to gain control of the traffic between the client application and the server,
this will give them a number of opportunities:

spoof the server's responses, for

example to spoof bank transaction
details or phishing

spoof client application requests, e.g.

by changing the transfer amount and
the recipient's account;

intercept data such as logins,

passwords, one-time passwords, bank
card details, transaction history.

As a result, it will learn the victim's logins and passwords from various accounts and will be able to
use them to steal data, steal money.
Remote attacks
The more familiar http:// and https:// links can be handled in a similar way on mobile
devices - they can be passed to the application instead of the browser, in some cases
without user confirmation.

For Android devices, clicking on a link can trigger an Instant App download, making it
possible to remotely exploit vulnerabilities related to the installation of a malicious app.

How to protect yourself

Timely installation of application and OS updates in this case is the only way to protect
yourself. If you can't install an update or it hasn't been released yet, you can temporarily
stop using the vulnerable application: uninstall it from your device or simply log off.
Attacks on the server side
How to protect yourself
In this case, there is not much an ordinary user can do. However, you can reduce the risk of
being attacked by a server by using a complex password and by setting up two-factor
authentication with one-time passwords in all critical applications that allow it.
To minimize the likelihood of a successful attack on a mobile application, its developers
should test the feasibility of each of the scenarios described. Different intruder patterns
should be taken into account during development, and some protection measures should
be taken at the design stage.
A good recommendation for developers is to implement security development lifecycle
(SDL) practices and regularly analyze the security of the application. Such measures will not
only help to identify potential threats in a timely manner, but will also increase the level of
security knowledge of developers, which will increase the level of security of developed
applications in the long term.