Mitigating Attacks on Web Applications Through the Browser

Applications running on web servers can be attacked in many ways. One of the approaches involves using the web browser of the victim as a gateway for the attack. Such attacks include the following tactics:

  • The attacker can trick the victim’s browser into executing malicious browser code, such as JavaScript, in the context of a vulnerable web application. This is an example of a Cross-Site Scripting (XSS) attack.
  • The attacker can trick the victim’s browser into visiting a site or clicking on a link that submits a specially-crafted request to the vulnerable web application. This attack category is known as Cross-Site Request Forgery (CSRF).
  • The attacker can design a malicious website that embeds the visitor’s desired web application while floating invisible HTML elements above the web app’s genuine user interface. The victim will believe he is interacting with the legitimate site, while the attacker’s code intercepts user input. This type of an attack is known as Clickjacking. (Some classify Clickjacking as a variant of CSRF.)
  • The attacker can design a malicious application that runs directly on the victim’s computer and embeds itself into the browser as an add-on or a DLL. This allows the attacker to intercept and tamper with all traffic sent by the browser. An attack of this type is sometimes called man-in-the-browser; its infection vector is similar to that of other local malware.

By channeling attacks through the victim’s browser, the attacker often has the ability to take actions in the context of the victim’s session with the target web application. This allows the attacker to interact with the application under the victim’s privileges.

Many of the vulnerabilities exploited by the attacks outlined above need to be fixed by the developers of the web applications, which aren’t under the direct control of the victims. However browser users can take some mitigation measures.

Modern web browser are starting to include mechanisms for resisting attacks outlined above. For instance, Internet Explorer 8 includes anti-XSS, anti-CSRF and anti-clickjacking features. Google Chrome offers some protective capabilities of this manner as well. Users of Firefox can mitigate the risks of CSRF, XSS and other attack on web applications by using the NoScript extension.

Of course, such browser-based defenses aren’t without weaknesses; case point: the Abusing Internet Explorer 8’s XSS Filters paper by Eduardo Vela Nava and David Lindsay (PDF).

This note is part of a series that explores attacks that use the web browser. Other posts in this series are:

Updated

About the Author

Lenny is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more