Chapter 10

Preventing Client Attacks

Security against defeat implies defensive tactics; ability to defeat the enemy means taking the offensive.

—Sun Tzu in The Art of War

Attacking a web application directly is not the only option available to cyber criminals. They may also target other users of the system to steal their information, force them to make fraudulent requests, or install malware onto their systems. In this scenario, the web application is not the target of the attack but instead used as a conduit to facilitate attacks against other users. This is a challenging issue to combat because the battle is waged not only server-side within the application but also client-side within the web browser.

To combat these various client attacks, web applications must be able to interact and communicate with web browsers. Many of the recipes in this chapter include reference material taken from the Mitre Common Attack Pattern Enumeration and Classification (CAPEC) project: http://capec.mitre.org/.

Recipe 10-1: Implementing Content Security Policy (CSP)
This recipe shows you how to use ModSecurity to set a CSP for clients and monitor for policy violation reports.
Ingredients
  • OWASP AppSensor1
    • Suspicious Client-side Behavior
  • OWASP ModSecurity Core Rule Set (CRS)
    • modsecurity_crs_10_setup.conf
    • modsecurity_crs_42_csp_enforcement.conf
  • Apache
    • mod_headers header
  • ModSecurity
    • REQUEST_HEADERS variable
    • REQUEST_BODY variable
    • @validateByteRange operator
    • setvar action
    • setenv action

Get Web Application Defender's Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial