"Client-Heavy" Web Apps and Implications for Security

February 25th, 2019

Modern web applications and websites today behave very differently compared to just a few years back. I want to highlight two of the most important changes that have changed the way in which the web works, with very important implications for security.

Change 1: Execution moves to the Client

Modern web apps have become very “client-heavy” when it comes to code execution. Prior generations of web applications performed code execution and data storage on the server, and sent <html> to the client for rendering. Back then, our client devices were not powerful and acted as simple display screens for the web.

Today’s web applications perform a significant amount of code execution on the client via javascript. This is because modern web applications want to provide a native, desktop experience on the browser – so that a web app is as interactive and functionally rich as a desktop app. Modern web apps even store a lot of information directly on the client (e.g., AppCache, IndexeddB) – this allows apps to have “offline” capabilities such that your mail, document editing or navigation web apps work even when you are not connected to the network.

What does this mean for security? It means that when you think about protecting your web app, you had better know what is being executed on the client. Secondly, your web app is storing potentially confidential app data on the client. Network or server based security products have no idea what is getting executed on your client.

Change 2: Explosion in Third Party Integrations

Today’s web sites integrate dozens of third party service providers, all the way from user analytics to marketing tags, CDNs, third party javascript libraries and so on. When your web user types www.mywebsite.com on their browser, they are not only visiting your server, but a dozen others. Type www.cnn.com, for example, and your PC or mobile is pulling scripts, images etc., from dozens and dozens of other servers that don't belong to CNN. All those third party servers have the ability to execute code on your user’s device, collect user data from their devices and so on. This is how many of the recent cryptojacking attacks have transpired where a compromised server was serving cryptomining code to users. Even the recent breach of user data on Delta, Sears and Best Buy sites was due to a compromised chat agent.

What does this mean for security? If any of those 3rd party servers is compromised, your user is compromised - so web app owners need to understand and restrict what actions 3rd parties are able to perform on their user's devices.

Drop me a note and let me know if you want to know how Tala can help you defend your web apps and users against advanced attacks.