One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2785193 |
| Date de publication | 2021-05-14 10:00:00 (vue: 2021-05-14 11:05:45) |
| Titre | Defending the client-side attack surface |
| Texte | It is strange to think that not that long ago the Internet was a very different place. A place filled with static text content, marked up in HTML, and served up alongside a few included image files; mostly consumed by a small population of persons with specific interests. Today’s Internet consumer demands a vibrant and responsive user experience customized to their individual interests. A localized cornucopia of options from around the globe, available on demand. While many advancements in platforms and networking have contributed to this evolution, the ability to execute script code in the browser is perhaps the most significant both in terms of user functionality and potential for security exposures. A “Client-Side Attack” occurs when a user (the client) downloads malicious code from the server, which is then interpreted and rendered by the client browser. The classic example of such an attack is Cross-Site Scripting, which has been a staple of the OWASP Top Ten since its inception. These flaws are pervasive. A 2019 report from Feroot CX Security and Privacy, the 2019 Feroot User Security and Privacy Report concluded that the hidden activities of third-party tools and scripts expose up to 97% of organizations to theft of customer data. More recently, the 2021 Hacker Report showed significant year over year increases in reported web-related security vulnerabilities and that 96% of hackers are working on hacking web applications. Sadly, these figures are far from surprising. According to that same 2019 Feroot report, modern web applications load an average of 21 third-party scripts as part of the user experience. This integration of third-party code creates a software supply chain that is assembled and executed on the client’s machine in near real time. The risk that one or more of the included scripts has been tampered with by threat actors at any given point in time is real and can have significant consequences as many organizations impacted by “web skimming” or “Magecart” attacks have learned. These attacks occur when an attacker inserts malicious script code, or a reference to include such code, into a payment or other transactional page. The code is downloaded and executed on the client browser which typically sends a copy of the sensitive information to a location of the attacker’s choice. Because of the subtle nature of these campaigns, they can be difficult to detect. For example, Warner Music recently disclosed that a number of the company’s on-line stores had fallen victim to such a campaign that lasted for several months.They are not alone. Many companies have been impacted by such campaigns and given the surge of online transactions as a result of the COVID-19 pandemic, it is no surprise that threat actor groups are increasingly focused on exploitation and monetization of such vulnerabilities. Even in the absence of malicious intent, simple human error can result in security impacting disclosures. If developers are passing sensitive details in the URL parameters or the page title of a web resource, analytics platforms may receive those elements. These may include usernames, credentials, or other information that could be considered Personally Identifiable Information (PII). Legitimate scripts may collect sensitive data from the website for analysis without the full understanding of |
| Envoyé | Oui |
| Condensat | “client “web according because endpoint for given if incorporate legitimate many the these this today’s while 2019 2021 abilities ability absence accurate actions activities activity activity: actor actors address addressing advancements against ago alone alongside already also analysis analytics any app application applications approaches are around assembled assessment at attack attack” attacker attacker’s attacks attempt authored availability available average awareness baseline basis been best blind both browser built but campaign campaigns can chain check choice classic client client’s code collect com/ companies company’s concept concern concerned concluded confidentiality consequences consider: considered consumed consumer content continues contributed controls copy cornucopia could covid creates credentials cross customer customers customized data defending degree demand demands details detect developer developers developers: deviations different difficult disclosed disclosures discussed downloaded downloads dynamic easily educate elements embedded embedding enabling ensure enterprise environment environments error even evolution evolve example execute executed execution experience exploitation expose exposures extend fall fallen far feroot feroot’s figures files; filled flaws focused following free from full functionality future geographies given globe groups guard hacker hackers hacking had has have here hidden highly hosting how html https://www human identifiable identify image impact impacted impacting implement important inception incident incidents include included inclusion incorporating increases increasingly individual information infrastructure inserts inspector integrate integration integrity intent interests internationally internet interpreted issues its javascript keep lasted learned like likewise line load localized location long machine made malicious manner many marked may minimize modern monetization monitor months more most mostly music must nature near networking not number occur occurring occurs one ongoing online operations options organization organizational organizations other over owasp pace page pageguard pandemic parameters part partner party passing payment perhaps personally persons pervasive pii place platforms point policies population potential prevent privacy problem processes products professionals protection provide provider purpose quick rasp real receive recently reference regardless related relying rendered report reported reputation resource response responsible responsive result resulting risk risks routed runtime sadly same script scripting scripts sdlc secure securing security see self sends sensitive served server several shielding short showed side significant simple since site skimming” small soc software solution solutions solutions: some space specific spots staple static stores strange strategy subtle such supply supporting surface surfaces surge surprise surprising suspect take tampered targeted teams ten terms text theft them then these things think third those threat time timely title tool tools top traditional training transactional transactions typically unauthorized understanding uninterrupted unsafe url useful user usernames using very viable vibrant victim visibility vulnerabilities warner way web website when which within without working would year your |
| Tags | Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.