Chapter 10

Preventing Client Attacks

Security against defeat implies defensive tactics; ability to defeat the enemy means taking the offensive.

—Sun Tzu in The Art of War

Attacking a web application directly is not the only option available to cyber criminals. They may also target other users of the system to steal their information, force them to make fraudulent requests, or install malware onto their systems. In this scenario, the web application is not the target of the attack but instead used as a conduit to facilitate attacks against other users. This is a challenging issue to combat because the battle is waged not only server-side within the application but also client-side within the web browser.

To combat these various client attacks, web applications must be able to interact and communicate with web browsers. Many of the recipes in this chapter include reference material taken from the Mitre Common Attack Pattern Enumeration and Classification (CAPEC) project: http://capec.mitre.org/.

Recipe 10-1: Implementing Content Security Policy (CSP)
This recipe shows you how to use ModSecurity to set a CSP for clients and monitor for policy violation reports.
Ingredients
  • OWASP AppSensor1
    • Suspicious Client-side Behavior
  • OWASP ModSecurity Core Rule Set (CRS)
    • modsecurity_crs_10_setup.conf
    • modsecurity_crs_42_csp_enforcement.conf
  • Apache
    • mod_headers header
  • ModSecurity
    • REQUEST_HEADERS variable
    • REQUEST_BODY variable
    • @validateByteRange operator
    • setvar action
    • setenv action

Get Web Application Defender's Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.