Types of Web-Based Client-Side Attacks
by Christian Seifert - Tuesday, 9 September 2008.
The last attack presented that impacts confidentiality is a social engineering attack called phishing. Social engineering attacks aim at exploiting of the natural human tendency to trust. In a phishing attack, the trust in a web site is abused to fraudulently acquire personal confidential data, such as credentials and bank account information (KYE - Phishing). These web-based client-side attacks present the user with a fraudulent web site, often promoted via SPAM Email, which appear to be from a trusted entity, such as a bank. The web site, however, is, in fact, in the control of the attacker and once the user provides personal information to the web site, the attacker will have obtained this confidential information.

Availability impact

Next, I look at attacks that impact availability. These attacks are concerned with partially or fully consuming the client resources, which reduces or leads to a complete failure of a service the client normally performs. The attacks reviewed are simple crashes, popup floods, browser hijacking, network floods, Web SPAM/junk pages and web pages that commit click fraud.

A denial-of-service is an attack that results in partial or complete consumption of resources that negatively impact a service. In the setting of a web-based client-side attack, a web page could cause the lock-up or crash of the browser or even the operating system or one if its components. Many browser vulnerabilities exist that permit a malicious web server to launch an availability impacting attack.

While the lock-ups and crashes often occur without malicious intent, there are several availability impacting attacks for which malicious intent undoubtedly exist. Pop-up floods are used in advertisement attacks (New Ad Attacks). These attacks lead to the display of many unsolicited pop-up windows. While these pop-ups load, network and computing resources are consumed, significantly reducing the availability of the client. This could even lead to browser hijacking, in which the page cannot be left and/or pop-up cannot be closed.

Since web browsers are capable to load resources from remote network locations, for instance images, a malicious web page could conceptually lead to flooding the network with traffic if a browser doesn’t manage its resources carefully. For instance, a web page that contains a million images from different domains could generate a million DNS requests, potentially overwhelming the local DNS server. A web page that contains large data chunks could potentially clog the network. If browsers are pooled to perform flooding of a network , they are referred to as Puppetnets (see Lam's paper on Puppetnets).

Web SPAM/ junk pages are specific malicious web pages that abuse search engine functionality. A search engine is tasked with providing the user with relevant web pages for a given user queries. Web spam/ junk pages abuse the algorithm of the search engine to lead to a high ranking despite the fact that the content of the web pages are not relevant to the user. As such, these pages abuse the client's resources by displaying non-relevant content. On top of that, these and other pages might be involved in click fraud scams in which a malicious web page could fraudulently simulate clicking of advertisements by the user.

Integrity impact

Next, attacks that impact integrity. In the context of web-based client-side attacks, a loss of integrity usually translates into the ability of an attacker to execute arbitrary code on the client machine. Cross site/domain/zone scripting, drive-by-pharming, hosting of malware, and drive-by-download attacks are described.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th