Chapter 16. Client-Side Attacks

In the premodern world of application security (Web 1.0), it was assumed that the client (aka browser) component of a web application was not a common attack vector for hackers. As a result, companies assumed the majority of the application’s risk surface area was on the back-end (server side) and invested very little in ensuring that their browser clients were secure.

As Web 2.0 rolled around, more and more functionality that was previously found only on the server would be pushed to the client. Complex computing operations would be rewritten from backend Java or C, into client-side JavaScript. Backend data stores would be replaced with local storage, session storage, or IndexedDB.

Asynchronous JavaScript and XML (AJAX)–type network queries would allow for the development of client-side applications that maintain, update, and store state. Client-side improvements to the JavaScript programming language and browser DOM would allow complex component life cycles with updates, renders, re-renders, deletes, and so on—similar to those of a desktop application.

All in all, the overall architecture of a web application would change from a model in which the server was responsible for all computing operations and the client was only a rendering (view) layer, to a model in which both the server and client were responsible for a variety of complex computing tasks.

The modern web reflects this change: all of the largest websites in the world make use of both ...