Client-Side Vulnerabilities

Client-side vulnerabilities exploit weaknesses in how web browsers and client-side code handle user input and external data. Unlike server-side vulnerabilities that execute on the server, client-side attacks execute in the victim's browser, potentially compromising the user's session, data, and interactions with the web application. This lecture covers the most critical client-side vulnerabilities and their mitigations.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is one of the most prevalent and dangerous web vulnerabilities. XSS occurs when an attacker injects malicious scripts into web pages viewed by other users. These scripts execute in the victim's browser with the same privileges as the legitimate application code.

Why XSS is Dangerous

Impact of XSS:

1. Session Hijacking: Steal session cookies and impersonate users

2. Credential Theft: Capture keystrokes, form inputs, passwords

3. Phishing: Display fake login forms or modify page content

4. Malware Distribution: Redirect to malicious sites or download malware

5. Defacement: Modify website appearance

6. Data Exfiltration: Access and steal sensitive information

7. Account Takeover: Change passwords, email addresses

8. Propagation: Create self-replicating XSS worms (stored XSS)

9. Cryptocurrency Mining: Use victim's CPU for mining

10. Complete Application Control: Execute any action the user can perform

Types of XSS

XSS vulnerabilities are classified into three main types based on how the payload is delivered and executed.

1. Reflected XSS (Non-Persistent)

Definition: The malicious script is embedded in the HTTP request (typically URL or form data) and immediately reflected back in the response without proper sanitization.

Characteristics:

• Requires user interaction (clicking malicious link)

• Payload not stored on server

• Single request/response cycle

• Also called Type-I or Non-Persistent XSS

Reflected XSS Example

Vulnerable Application:

Normal Request:

Malicious Request:

Attack Scenario:

1. Attacker crafts malicious URL:

2. Attacker sends URL to victim via:

   • Email phishing

   • Social media

   • Malicious website

   • SMS/messaging apps

3. Victim clicks link

4. Script executes in victim's browser

5. Cookie sent to attacker's server

URL Encoding to Evade Detection:

Advanced Reflected XSS Payloads

Basic Alert:

Cookie Exfiltration:

Image Tag (No Script Tags):

SVG Payload:

Iframe Injection:

2. Stored XSS (Persistent)

Definition: The malicious script is permanently stored on the server (database, file, logs, etc.) and executed whenever users access the affected page.

Characteristics:

• Stored in application's database/storage

• Executes automatically when page loads

• No direct user interaction required

• Most dangerous type of XSS

• Also called Type-II or Persistent XSS

• Can create XSS worms

Stored XSS Example

Vulnerable Comment System:

Attack Scenario:

1. Attacker submits comment:

2. Comment stored in database

3. Every user viewing comments page executes the script

4. Attacker collects data from all victims

Stored XSS Attack Vectors

User Profiles:

Forum Posts:

File Uploads (SVG):

Contact Forms:

Self-Replicating XSS Worm

Samy Worm (MySpace 2005) - Concept:

3. DOM-Based XSS

Definition: The vulnerability exists in client-side JavaScript code that improperly handles user input, modifying the DOM without proper sanitization.

Characteristics:

• Payload never sent to server

• Executed entirely in browser

• Server-side filters ineffective

• Harder to detect with traditional tools

• Sources: URL fragments, postMessage, localStorage

DOM XSS Sources (Input Points)

URL-Based Sources:

• location.href

• location.hash (#fragment)

• location.search (?query)

• document.URL

• document.documentURI

• document.referrer

Other Sources:

• window.name

• postMessage data

• localStorage / sessionStorage

• IndexedDB

• WebSocket messages

DOM XSS Sinks (Dangerous Functions)

Code Execution:

• eval()

• Function()

• setTimeout() with string argument

• setInterval() with string argument

HTML Modification:

• element.innerHTML

• element.outerHTML

• document.write()

• document.writeln()

Attribute Modification:

• element.src

• element.href

• element.action

• element.formaction

• element.srcdoc

jQuery Sinks:

• $()

• .html()

• .append()

• .after()

DOM XSS Examples

Example 1: innerHTML

Attack:

Example 2: location.hash

Attack:

Example 3: jQuery

Attack:

Example 4: Attribute Sink

Attack:

Advanced DOM XSS

Template Literals:

Prototype Pollution Leading to DOM XSS:

Mutation XSS (mXSS)

Definition: XSS that exploits browser's HTML parser inconsistencies and mutation behavior, bypassing sanitization.

How It Works:

1. Input passes sanitization

2. Browser's parser mutates the HTML

3. Mutation creates valid XSS payload

Example:

Another Example:

Mitigation:

• Use DOMPurify with safe parsing mode

• Avoid innerHTML, use textContent

• Implement strict CSP

XSS Filter Bypasses

1. Bypassing WAF/Filters

Case Manipulation:

HTML Encoding:

JavaScript Encoding:

Hex Encoding:

Unicode Escapes:

2. Bypassing Sanitization

Incomplete Tag Removal:

If filter removes <script>:

Event Handler Obfuscation:

Alternative Tags:

Alternative Event Handlers:

3. Context-Specific Bypasses

Inside Attribute:

Breaking Out of JavaScript String:

Breaking Out of JavaScript Comment:

4. Polyglot Payloads

Work in multiple contexts:

Simpler polyglot:

XSS Exploitation Techniques

1. Cookie Theft

With Image:

2. Keylogger

3. Phishing

4. BeEF Hook

Browser Exploitation Framework:

Attacker gains:

• Browser information

• Plugin detection

• Network scanning

• Social engineering modules

• Persistent access

5. Cryptocurrency Mining

XSS Prevention and Mitigation

1. Input Validation

Whitelist Approach:

Sanitize HTML:

2. Output Encoding

HTML Context:

JavaScript Context:

URL Context:

3. Use Safe APIs

Safe:

Unsafe:

4. Content Security Policy (CSP)

5. HTTPOnly Cookies

6. Template Engines with Auto-Escaping

React (Auto-escapes):

Vue.js:

Angular:

7. Framework-Specific Protection

React - Dangerous innerHTML:

Vue.js - v-html:

Cross-Site Request Forgery (CSRF)

Definition: CSRF tricks authenticated users into executing unwanted actions on a web application where they're authenticated. The attack abuses the browser's automatic inclusion of authentication credentials (cookies) with cross-origin requests.

How CSRF Works

Prerequisites for CSRF:

1. Relevant Action: Privileged action or state-changing operation

2. Cookie-Based Authentication: Application relies solely on cookies

3. No Unpredictable Parameters: Attacker can determine all request parameters

Attack Flow:

1. Victim authenticates to vulnerable-bank.com

2. Browser stores session cookie

3. Victim visits attacker's site evil.com

4. Attacker's page makes request to vulnerable-bank.com

5. Browser automatically includes session cookie

6. Request executes with victim's privileges

CSRF Attack Examples

Example 1: GET Request

Vulnerable Endpoint:

Attack:

When victim loads attacker's page, image tag triggers request with victim's cookies.

Example 2: POST Request (Auto-Submit Form)

Vulnerable Endpoint:

Attack:

Example 3: XMLHttpRequest

Example 4: Change Email (Account Takeover)

After email changed, attacker requests password reset.

CSRF Defense Mechanisms

1. CSRF Tokens (Synchronizer Token Pattern)

Server-Side:

Client-Side:

AJAX Requests:

2. SameSite Cookies

SameSite Values:

• Strict: Never sent on cross-site requests

  ✅ Prevents all CSRF ❌ Breaks legitimate cross-site navigation

• Lax (Default in modern browsers):

  ✅ Sent on top-level GET navigation (clicking links) ❌ Not sent on POST, iframe, AJAX ✅ Good balance between security and usability

• None:

  ✅ Sent on all requests (requires Secure flag) ❌ No CSRF protection

3. Custom Headers

Server validates:

Why This Works: Simple requests can be sent cross-origin, but custom headers trigger CORS preflight, which attacker cannot pass without CORS headers.

4. Double-Submit Cookie Pattern

Server validates:

5. Referer/Origin Validation

Limitations:

• Users can disable Referer header

• Can be bypassed with open redirects

• Not recommended as sole defense

CSRF Bypass Techniques

1. Bypass SameSite=Lax

GET requests are allowed with SameSite=Lax:

Mitigation: Use POST for state-changing operations.

2. Token Leakage

If token appears in URL or Referer:

3. Token in Response

If token predictable or reusable:

Mitigation: Ensure CORS headers prevent cross-origin token reading.

4. Subdomain Takeover

If attacker controls subdomain:

Mitigation: Don't use domain-wide cookies for CSRF tokens.

Clickjacking

Definition: Clickjacking tricks users into clicking on something different from what they perceive, potentially causing them to perform unintended actions.

How Clickjacking Works

Attacker overlays invisible iframe over deceptive content:

User thinks they're clicking "Click for FREE iPHONE!" but actually clicking "Delete Account" button in invisible iframe.

Clickjacking Attack Scenarios

1. Like/Follow Jacking:

2. Credential Theft:

3. Webcam/Microphone Permission:

4. Drag-and-Drop:

Clickjacking Defenses

1. X-Frame-Options Header:

Cannot be embedded in any frame.

Can only be framed by same origin.

2. CSP frame-ancestors:

Modern replacement for X-Frame-Options.

Only same origin can frame.

Specific origin can frame.

3. Frame-Busting JavaScript (Unreliable):

Bypass:

Other Client-Side Vulnerabilities

DOM Clobbering

Definition: Exploiting browser's behavior of creating global variables for HTML elements with id or name attributes.

Example:

Mitigation:

• Use const/let for variables

• Don't rely on global scope

• Validate types: if (typeof config === 'object')

Prototype Pollution

Definition: Modifying JavaScript object prototypes, affecting all objects.

Example:

Client-Side Impact:

• XSS via polluted properties

• Authentication bypass

• Security control bypass

Mitigation:

WebSocket Vulnerabilities

Missing Origin Validation:

Attack:

Mitigation:

postMessage Vulnerabilities

Insecure Receiver:

Attack:

Secure Implementation:

Key Takeaways

• XSS remains one of the most critical web vulnerabilities

• Three main types: Reflected, Stored, and DOM-based

• Always encode output based on context

• Use CSP and HTTPOnly cookies as defense-in-depth

• CSRF requires both prevention mechanisms and secure coding

• SameSite cookies provide strong CSRF protection

• Clickjacking needs frame-ancestors CSP or X-Frame-Options

• Modern JavaScript introduces new attack vectors (Prototype Pollution, DOM Clobbering)

• WebSockets and postMessage require explicit origin validation

• Defense requires multiple layers of protection

Resources

XSS

• OWASP XSS Guide: https://owasp.org/www-community/attacks/xss/

• PortSwigger XSS: https://portswigger.net/web-security/cross-site-scripting

• XSS Filter Evasion: https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html

• DOMPurify: https://github.com/cure53/DOMPurify

• Google XSS Game: https://xss-game.appspot.com/

CSRF

• OWASP CSRF: https://owasp.org/www-community/attacks/csrf

• PortSwigger CSRF: https://portswigger.net/web-security/csrf

• SameSite Cookies: https://web.dev/samesite-cookies-explained/

Clickjacking

• OWASP Clickjacking: https://owasp.org/www-community/attacks/Clickjacking

• PortSwigger Clickjacking: https://portswigger.net/web-security/clickjacking

Advanced Topics

• Prototype Pollution: https://portswigger.net/web-security/prototype-pollution

• DOM Clobbering: https://portswigger.net/web-security/dom-based/dom-clobbering

• PostMessage Security: https://portswigger.net/research/stealing-user-info-with-postmessage

Tools

• Burp Suite: XSS and CSRF testing

• OWASP ZAP: Automated scanning

• XSStrike: Advanced XSS detection

• CSP Evaluator: https://csp-evaluator.withgoogle.com/

• BeEF: Browser Exploitation Framework