Whitepaper Release:
Defense against Client-Side Attacks
NotSoSecure - part of Claranet Cyber Security
TL;DR: A new Whitepaper released "insight.claranet.co.uk/cybersecurity/defense-against-client-side-attacks" to help attackers understand client-side attacks and for developers to understand how to mitigate them.
In the modern era, the web exploitation world is obsessed with server-side attacks; however, the data now resides equally on server and client-side. Developers focus on fixing server-side vulnerabilities first due to their high-profile nature. But what about client-side attacks like Cross-Site Scripting, Cross-Site Script Inclusion, Cross-Origin Resource Sharing, Cross-Site Request Forgery, Man-in-the-Middle, Clickjacking, Information Sharing / Leakage which are equally catastrophic? The impact of Client-Side attacks is limited to the user's of the application compared to Server-Side attacks where an attacker can target the organisation's network and data. For example, in the case of Cross-Site Scripting, exploitation will be limited to the users who access the vulnerable page.
In this Whitepaper written by Savan and Dharmendra at NotSoSecure, the focus is on the client-side vulnerabilities and strategies to identify simple configuration changes that developers can implement via custom headers to reduce/mitigate the effect of the threat.
The Whitepaper is divided into 3 sections:
- Client-Side components
- Various Client-Side attacks
- Recommendations about each vulnerability
With this Whitepaper, we intend to help pentesters identify and understand the importance of client-side vulnerabilities by talking about various client-side vulnerabilities that pentesters should be looking for during application assessments and the strategies developers can undertake to mitigate those vulnerabilities by making minimal configuration changes.
You can download a copy here: insight.claranet.co.uk/cybersecurity/defense-against-client-side-attacks