Browser Storage Data Access
Network Sniffing and Manipulation
Malicious scripts can monitor browser events, form input changes and user interaction. These scripts have the ability to observe, collect and report any kind of data associated with the web page. Usually, this data is captured and exported to an unknown location and an unauthorized server or service using different types of network protocols suggested by the browser. From payment information to personal information, everything is at risk and could be stolen.
Real Life Threats and Stories
Watering Hole Attack
Example: In November 2018, the research team at cybersecurity company ESET published a note about a watering hole attack against 21 websites associated with organizations in Cambodia, including some high traffic government agency sites. The attack was organized, ESET researchers concluded by a shady group called OceanLotus. In this case, the attack is extremely sophisticated, consisting of multiple steps to avoid detection, use of multiple IP addresses per user attack, and multiple stages to verify that the user fits desired criteria before attempting to push malware onto the user’s local environment. In the case of OceanLotus, it is believed to be primarily focused on harvesting sensitive intelligence from government agencies, NGOs, and human rights organizations. This implies the OceanLotus crew are sponsored by some sort of state actor that is interested in this information.
Session and Credential Hijacking
Fake Ads Injection and Malicious Redirects
Example: In April 2019, an attack against unpatched Google Chrome browsers running on iOS devices exposed roughly 500 million users to a Session Hijacking attack by the eGobbler gang, a well-known cybercriminal organization that has a long history of mounting so-called “malvertising” attacks. In this case, as the team that discovered the exploit at Confiant outline, the exploit bypassed the core sandboxing feature in iOS apps that prevents attackers from installing malware. In this particular attack, the session hijack leverages a webpage with adware that has been compromised. The user clicks on an ad that appears to belong to a well-known brand but is actually used to deliver a malware payload. After the payload is delivered, a user would experience unexpected pop-ups that they could not close. When the user clicks on the links in the popup, the eGobbler gang would collect revenue from the clicks.
How To Protect Your Web App
First, let’s be honest. There is no silver bullet technology or service in existence today to protect against all these varieties of attacks. There are piecemeal methods and solutions, but none are very efficient.
CSP and Policy Based Services
What’s the right approach?