Mitigating Attacks on Web Applications Through the Browser
Attackers use browsers as gateways to attack web applications via XSS (executing malicious JavaScript in app context), CSRF (tricking browsers into submitting crafted requests), clickjacking (invisible elements above legitimate UI), and man-in-the-browser (intercepting all traffic). Modern browsers include anti-XSS/CSRF/clickjacking features.
Applications running on web servers can be attacked in many ways. One of the approaches involves using the web browser of the victim as a gateway for the attack. Such attacks include the following tactics:
- The attacker can trick the victim’s browser into executing malicious browser code, such as JavaScript, in the context of a vulnerable web application. This is an example of a Cross-Site Scripting (XSS) attack.
- The attacker can trick the victim’s browser into visiting a site or clicking on a link that submits a specially-crafted request to the vulnerable web application. This attack category is known as Cross-Site Request Forgery (CSRF).
- The attacker can design a malicious website that embeds the visitor’s desired web application while floating invisible HTML elements above the web app’s genuine user interface. The victim will believe he is interacting with the legitimate site, while the attacker’s code intercepts user input. This type of an attack is known as Clickjacking. (Some classify Clickjacking as a variant of CSRF.)
- The attacker can design a malicious application that runs directly on the victim’s computer and embeds itself into the browser as an add-on or a DLL. This allows the attacker to intercept and tamper with all traffic sent by the browser. An attack of this type is sometimes called man-in-the-browser; its infection vector is similar to that of other local malware.
By channeling attacks through the victim’s browser, the attacker often has the ability to take actions in the context of the victim’s session with the target web application. This allows the attacker to interact with the application under the victim’s privileges. Many of the vulnerabilities exploited by the attacks outlined above need to be fixed by the developers of the web applications, which aren’t under the direct control of the victims. However browser users can take some mitigation measures.
Modern web browser are starting to include mechanisms for resisting attacks outlined above. For instance, Internet Explorer 8 includes anti-XSS, anti-CSRF and anti-clickjacking features. Google Chrome offers some protective capabilities of this manner as well. Users of Firefox can mitigate the risks of CSRF, XSS and other attack on web applications by using the NoScript extension.
Of course, such browser-based defenses aren’t without weaknesses; case point: the Abusing Internet Explorer 8’s XSS Filters paper by Eduardo Vela Nava and David Lindsay (PDF).
This note is part of a series that explores attacks that use the web browser. Other posts in this series are: