Understanding OWASP Top 10 Client-Side Risks

Websites rely heavily on client-side code to deliver interactive user experiences. Unlike server-side code, which is protected within an organization’s infrastructure, client-side code runs in the user’s browser and is exposed to various risks such as data theft and JS injection.

Recognizing the unique challenges of securing client-side code, OWASP has created a dedicated Top 10 list for client-side security risks.

Similar to the OWASP Top 10 API Security risks, which address vulnerabilities specific to APIs, the OWASP Client-Side Top 10 focuses on threats that impact the client-side components of web applications.

This blog covers the critical client-side risks identified by OWASP and provides practical guidance on how to mitigate them.

What is Client-Side Security?

Client-side security refers to the measures taken to protect the client side of web applications—essentially, the code and data that run in the user’s browser. This includes HTML, CSS, JavaScript, and any other scripts that are executed on the client side.

The main goal of client-side security is to ensure that data processed on the client side is protected from unauthorized access and manipulation. This involves safeguarding user input, preventing malicious scripts, and securing client-side communication.

Additionally, it encompasses protecting against specific threats like Formjacking and supply chain attacks.

What are Client-Side Risks?

Client-side risks are security vulnerabilities that arise from the client-side components of a web application. These risks can lead to unauthorized access to sensitive data, session hijacking, data leakage, or the injection of malicious code.

Common client-side risks include Cross-Site Scripting (XSS), Magecart attack, insecure JavaScript libraries, data exposure through browser storage, and insufficient controls on third-party scripts.

Given that much of the user interaction happens on the client side, attackers often target client-side components to steal data, manipulate user sessions, or launch broader attacks.

Effective client-side security measures are essential to mitigate these risks and protect both the web application and its users.

OWASP Top 10 Client-Side Risks – Candidate List

1. Broken Client-Side Access Control
2. DOM-Based XSS
3. Sensitive Data Leakage
4. Vulnerable and Outdated Components
5. Lack of Third-Party Origin Control
6. JavaScript Drift
7. Sensitive Data Stored Client-Side
8. Client-Side Security Logging and Monitoring Failures
9. Not Using Standard Browser Security Controls
10. Including Proprietary Information on the Client-Side

Note: This is a candidate list and may be subject to change upon finalization.

1. Broken Client-Side Access Control

This risk occurs when there is inadequate control over JavaScript’s ability to access client-side resources, including data and code. Such insufficient controls can result in the theft of sensitive information or the malicious alteration of the Document Object Model (DOM), potentially granting unauthorized access to critical assets.

This issue mirrors the concerns highlighted in OWASP Top 10: A01-2021 – Broken Access Control, but specifically targets vulnerabilities within client-side environments.

Mitigation Strategies:

• Implement strict controls over which scripts can access certain resources.
• Use CSP to restrict the sources from which scripts can be loaded and executed.
• Review and update client-side code to ensure access controls are enforced consistently.

2. DOM-Based XSS

DOM-based Cross-Site Scripting (XSS) vulnerabilities occur when client-side scripts manipulate the DOM in a way that introduces executable code, leading to XSS attacks. This type of vulnerability is particularly dangerous because it often bypasses traditional server-side defenses.

Mitigation Strategies

• Sanitize and validate all inputs before using them in the DOM.
• Use secure JavaScript frameworks that automatically handle XSS vulnerabilities.
• Utilize a CSP to block the execution of unauthorized scripts.

3. Sensitive Data Leakage

This risk involves the inability to detect or prevent digital trackers and pixels across a web property, which can lead to the leakage of sensitive information. Failure to manage these trackers properly can result in non-compliance with national and international privacy laws.

Mitigation Strategies:

• Implement strict privacy controls and regularly audit digital trackers and pixels on your site.
• Use browser features like “Do Not Track” to ensure compliance with GDPR or CCPA regulations.
• Utilize tools to monitor data flows and block unauthorized data sharing.

4. Vulnerable and Outdated Components

This risk occurs when outdated or vulnerable JavaScript libraries are used on the client side. Similar to OWASP Top 10: A06-2021 – Vulnerable and Outdated Components, this risk highlights the need for regular updates and monitoring of client-side libraries.

Mitigation Strategies:

• Regularly update all third-party libraries and dependencies to their latest secure versions.
• Implement automated tools to detect and report on the usage of outdated or vulnerable components.

5. Lack of Third-Party Origin Control

This risk is related to the failure to control or restrict third-party scripts and resources based on their origin. Without proper origin control, there is an increased risk of supply chain attacks due to the inclusion of unknown or untrusted code that can access data within the site’s origin.

Pollyfill[.]io attack is a recent example of this where 100K websites were impacted.

Mitigation Strategies:

• Implement Subresource Integrity (SRI) to ensure that only trusted scripts and resources are loaded.
• Use Content Security Policies (CSP) to restrict the loading of resources from unauthorized domains.
• Regularly review and audit third-party scripts and dependencies.

6. JavaScript Drift

JavaScript Drift occurs when there is an inability to detect changes in JavaScript code or assets used on the client-side. This includes failing to monitor behavioral changes that could indicate malicious activity, especially in third-party libraries.

Mitigation Strategies:

• Use tools to monitor JavaScript changes and alert for any unauthorized modifications.
• Regularly audit JavaScript libraries and code for any changes or unexpected behavior.
• Establish baselines for normal JavaScript behavior and detect deviations promptly.

7. Sensitive Data Stored Client-Side

Storing sensitive data such as passwords, cryptographic secrets, API tokens, or personally identifiable information (PII) in client-side storage like LocalStorage or JavaScript variables poses a significant security risk.

Mitigation Strategies:

• Avoid storing sensitive data on the client side whenever possible.
• Use secure storage mechanisms like browser cookies with proper security flags (HttpOnly, Secure).
• Encrypt any sensitive data that needs to be stored on the client side.

8. Client-Side Security Logging and Monitoring Failures

This risk involves insufficient logging and monitoring of client-side events, especially failures and errors. Without proper monitoring, detecting client-side changes or unauthorized data access in real time is challenging.

This is similar to OWASP Top 10: A09-2021 – Security Logging and Monitoring Failures but focused on client-side activities.

Mitigation Strategies:

• Implement comprehensive logging for client-side events and monitor these logs for suspicious activities.
• Employ real-time monitoring tools to detect and alert any alterations on the client side.
• Ensure logging and monitoring mechanisms are tamper-proof and securely configured.

9. Not Using Standard Browser Security Controls

Failing to utilize built-in browser security features such as iframe sandboxes, security headers (like Content Security Policy), or subresource integrity increases the risk of attacks that exploit client-side vulnerabilities.

Mitigation Strategies:

• Configure security headers like CSP, X-Frame-Options, and X-Content-Type-Options.
• Use iframe sandboxing to limit the capabilities of iframes embedded in your application.
• Implement Subresource Integrity (SRI) to ensure the integrity of external resources.

10. Including Proprietary Information on the Client Side

This risk involves exposing sensitive business logic, proprietary algorithms, or developer comments within client-side code. Such exposure can provide valuable insights to attackers and aid in exploiting vulnerabilities.

Mitigation Strategies:

• Minimize the exposure of sensitive information by keeping critical logic on the server side.
• Remove or obfuscate developer comments and proprietary information from client-side code.
• Use code minification and obfuscation techniques to protect client-side code from reverse engineering.

AppTrana WAAP’s Client-side Protection

AppTrana WAAP provides comprehensive client-side protection, designed to secure websites against many of these OWASP Top 10 client-side threats. It effectively prevents data exfiltration and shields against JavaScript-based attacks by offering full visibility and control over third-party scripts.

The solution enables you to continuously monitor JavaScript activity, ensuring that only trusted and authorized scripts are executed while blocking any malicious code. AppTrana aligns with the latest security protocols, including PCI DSS v4.0, helping businesses comply with new requirements through features such as real-time monitoring, comprehensive inventorying, dynamic integrity verification, and customizable protection modes. This approach simplifies regulatory compliance and enhances the security of client-side environments.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.