Client-side attacks

Overview

In client-side attacks the attacker attempts to compromise the user’s own computer. This may allow the attacker to record the user’s login details and gain access to the user’s account.

What makes a site vulnerable?

The site itself is not directly vulnerable to client-side attacks. Instead these attacks target the users’ computers. The attacks seek to gain control over the users’ computers. This can result in a form of indirect vulnerability on the part of the website. By having control over a user’s computer, an attacker can record what the user types and thereby capture the login details for the site, and other information entered by the user.

Impact of the attack

The attack can be used to capture login details leading to user account compromise. This can enable the attacker to learn private information about the user, use the user’s stored credit card details, etc.

Preventing the attack

It may be tempting to dismiss this as the user’s fault and something the user has to deal with. However, it is a real attack against the system in security terms, since the attacker may be able to increase his level of access to the system. To mitigate against the attack, techniques can be used which may reduce the effectiveness of keystroke logging. For example, the user may be asked to click on letters on a randomised keypad rather than typing the password directly.