Primer on Client-Side Web Security

Abstract

Have you ever wondered why all of a sudden, normal users start posting strange messages on social networks? Howwireless routers can be controlled remotely?Why eBayaccounts could be hijacked with a singleHTTPrequest? Orwhya newsWeb site suddenly shows a page from the Syrian ElectronicArmy?All of these incidents were possible due to attackers controlling some code within the victim’s browser, a result of the current state of practice inWeb security, which is less than stellar. As security researchers, we are concerned by the large gap between the state of practice and the currently available security technologies, which are often inspired by security research. In an effort to improve this situation, we have written this book, which gives a detailed view on the client-sideWeb security landscape.We explicitly focus on client-side security vulnerabilities, which are exploited from within a browser or explicitly target the browser, because they generally receive less attention compared to their server-side counterparts. In total, we cover 13 attacks, for which we give a detailed description, an overview of traditional mitigation techniques, and current state-of-the-art research. For each attack, wealso describe the current state of practice inWeb applications, and define the best practices to defend against these attacks in the modern age.