Beschreibung
This volume illustrates the continuous arms race between attackers and defenders of the Web ecosystem by discussing a wide variety of attacks. In the first part of the book, the foundation of the Web ecosystem is briefly recapped and discussed. Based on this model, the assets of the Web ecosystem are identified, and the set of capabilities an attacker may have are enumerated. In the second part, an overview of the web security vulnerability landscape is constructed. Included are selections of the most representative attack techniques reported in great detail. In addition to descriptions of the most common mitigation techniques, this primer also surveys the research and standardization activities related to each of the attack techniques, and gives insights into the prevalence of those very attacks. Moreover, the book provides practitioners a set of best practices to gradually improve the security of their web-enabled services. Primer on Client-Side Web Security expresses insights into the future of web application security. It points out the challenges of securing the Web platform, opportunities for future research, and trends toward improving Web security.
Autorenporträt
InhaltsangabeThe Relevance of Client-side Web Security.- The Web at a Glance.- Client-side Web Security.- Purpose of this Book.- Traditional Building Blocks of the Web.- Traditional Web Technology.- Loading Web Content.- Authentication and Authorization.- Cookies and Session Management.- Browser Security Policies.- Extending the Client-side Features.- Enhancing the User's Window on the Web.- The Browser as a Platform.- The Synergy between Browsers and Devices.- From Rendering Engine to Feature-rich Platform.- Client-side Storage.- Communication Mechanisms.- Mobile Features.- Registering Default Applications.- Transforming the Browser into an Operating System.- How Attackers Threaten the Web.- Threat Models in Literature.- Threat Models as Concrete Attacker Capabilities.- Conclusion.- Attacks on the Network.- Eavesdropping Attacks.- Man-in-the-Middle Attacks.- Protocol-level Attacks on HTTPS.- Attacks on the Browser's Requests.- Cross-Site Request Forgery.- UI Redressing.- Attacks on the User's Session.- Session Hijacking.- Session Fixation.- Authenticating with Stolen Credentials.- Attacks on the Client-Side Context.- Cross-Site Scripting.- Scriptless Injection Attacks.- Compromised Script Inclusions.- Attacks on the Client Device.- Drive-by Downloads.- Malicious Browser Extensions.- Improving Client-side Web Security.- Overview of Best Practices.- Secure Communication Channel.- Application-level Techniques.- Security Policies.- Research-driven Security Technology.- Conclusion.
