It is not unusual for browser-side or client-side security to get less than its fair share of attention from understaffed IT teams battling a rising number of attacks and a constantly evolving threat landscape.
Historically, server-side attacks have drawn more attention from cyber security officers and web application firewall vendors because they’ve been the primary focus of malicious actors. However, this is changing quickly as hackers look to exploit client-side blind spots and unmonitored areas for gain.
The application architecture and environment have changed in recent years. The application’s perimeter is no longer easy to define. Not only are applications scattered across multiple environments, but they also rely on dozens of connections to third-party services that generate much of the application content on the browser or client side.
This is what we call the application supply chain, and it is on the radar of opportunistic actors with malicious intent.
If client-side protection is not a major part of a modern security strategy, it is a mistake that will eventually come at a price. To increase their security posture, organisations should make sure their application protection solutions cover the following seven common client-side threats.
1. Broken access control
It can also include manipulation of the document object model (DOM) to gain access to client-side data. A designated client-side protection tool can protect against both types of attack.
2. DOM-based XSS attacks
These types of attacks are difficult to detect on the server side, which is why it’s important that a client-side protection solution is deployed.
3. Data leakage
Data leakage is as ominous as it sounds. It occurs when data leaks out of an organisation to unauthorised destinations and falls into the hands of malicious actors.
Leaked data, personally identifiable information (PII) that’s exposed or stolen by malicious actors, can also be used later by hackers to access and take control of users’ accounts.
Leaked data can result in breaches, identity theft, credential stuffing, ransomware and more. An effective client-side protection solution blocks data from being transferred through an application's browser side to unknown destinations or known destinations with illegitimate parameters.
4. No third-party origin control
Origin control allows cybersecurity professionals to restrict certain resources or assets by looking at their origins and comparing them to the origins of third-party libraries.
Lack of proper origin control increases the risk that an unknown and uncontrolled third-party code will access data in the application. A client-side protection solution worth its weight automatically uncovers third-party services provides detailed activity tracking, and blocks unvetted origins to ensure that only the right third-party code has appropriate access to the application network.
6. Client-side data storage
It’s important that a client-side protection solution is advanced enough to protect stored data against theft and restrict the type of data that can be accessed and shared by vendors. This is especially important for organisations that must comply with data security requirements, such as the General Data Protection Regulation.
Client-side browser monitoring is important to ensure data and content are only exchanged or shared with predetermined domains.
7. No standard browser security controls
Attackers are opportunists. They are looking for ways to exploit weak security configurations and poor security controls. Unfortunately, not all browsers adhere to the same security standards and share common standards-based security controls, such as iframe sandboxes, sub-resource integrity, and others.
A good client-side protection solution can detect and prevent digital trackers and pixels across web properties.
By protecting against these seven client-side threats, organisations can prevent their end users from being exposed to third-party services that are embedded in applications over which they lack visibility and control.
Today’s applications load, on average, 20-25 third-party scripts during each user session, which is why client-side protection should not be pushed to the back burner. It must be a part of an overall security posture.
Without client-side protection, organisations are flying blind, and their application supply chain is left open to attack. It’s not by chance that the latest Payment Card Industry Data Security Standard (PCI DSS 4.0) is requiring organisations to make the best effort to have client-side protection measures in place starting March 31, 2024, and as a mandatory prerequisite for certification after March 31, 2025.