TL;DR: A new WhitePaper released /defense-against-client-side-attacks to help attackers understand client-side attacks and for developers to understand how to mitigate them.
In the modern era, the web exploitation world is obsessed with server-side attacks however the data now resides equally on server and client side. Developers focus on fixing server-side vulnerabilities first due to their high-profile nature. But what about client-side attacks like Cross-Site Scripting, Cross-Site Script Inclusion, Cross-Origin Resource Sharing, Cross-Site Request Forgery, Man-in-the-Middle, Clickjacking, Information Sharing / Leakage which are equally catastrophic. The impact of Client-Side attacks is limited to the user’s of the application compared to Server-Side attacks where the organisation’s network and data can be targeted by an attacker. For example, in the case of Cross-Site Scripting, exploitation will be limited to the users who access the vulnerable page.
WhitePaper written by Savan and Dharmendra at NotSoSecure, the focus is on the client-side vulnerabilities and strategies to identify simple configuration changes that developers can implement via custom headers to reduce/mitigate the effect of the threat.
The WhitePaper is divided into 3 sections:
- Client-Side components
- Various Client-Side attacks
- Recommendations about each vulnerability
With this WhitePaper, we intend to help pentesters identify and understand the importance of client-side vulnerabilities, by talking about various client-side vulnerabilities which pentesters should be looking-for during application assessments, and the strategies that developers can undertake to mitigate those vulnerabilities by making minimal configuration changes.
Click on the image and download a copy.
Whitepaper Release : Defense against Client-Side Attacks