Preventing Client Attacks
Security against defeat implies defensive tactics; ability to defeat the enemy means taking the offensive.
—Sun Tzu in The Art of War
Attacking a web application directly is not the only option available to cyber criminals. They may also target other users of the system to steal their information, force them to make fraudulent requests, or install malware onto their systems. In this scenario, the web application is not the target of the attack but instead used as a conduit to facilitate attacks against other users. This is a challenging issue to combat because the battle is waged not only server-side within the application but also client-side within the web browser.
To combat these various client attacks, web applications must be able to interact and communicate with web browsers. Many of the recipes in this chapter include reference material taken from the Mitre Common Attack Pattern Enumeration and Classification (CAPEC) project: http://capec.mitre.org/.
- OWASP AppSensor1
- Suspicious Client-side Behavior
- OWASP ModSecurity Core Rule Set (CRS)
- mod_headers header
- REQUEST_HEADERS variable
- REQUEST_BODY variable
- @validateByteRange operator
- setvar action
- setenv action