Page 581 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 581

Client-Based Systems


               Client-based vulnerabilities place the user, their data, and their system
               at risk of compromise and destruction. A client-side attack is any
               attack that is able to harm a client. Generally, when attacks are

               discussed, it’s assumed that the primary target is a server or a server-
               side component. A client-side or client-focused attack is one where the
               client itself, or a process on the client, is the target. A common
               example of a client-side attack is a malicious website that transfers
               malicious mobile code (such as an applet) to a vulnerable browser

               running on the client. Client-side attacks can occur over any
               communications protocol, not just Hypertext Transfer Protocol
               (HTTP). Another potential vulnerability that is client based is the risk
               of poisoning of local caches.


               Applets


               Recall that agents are code objects sent from a user’s system to query
               and process data stored on remote systems. Applets perform the
               opposite function; these code objects are sent from a server to a client
               to perform some action. In fact, applets are actually self-contained
               miniature programs that execute independently of the server that sent
               them. The arena of the World Wide Web is undergoing constant flux.
               The use of applets is not as common today as it was in the early 2010s.

               However, applets are not absent from the Web, and most browsers
               still support them (or still have add-ons present that support them).
               Thus, even when your organization does not use applets in your
               internal or public web design, your web browsers could encounter
               them while surfing the public Web.

               Imagine a web server that offers a variety of financial tools to web
               users. One of these tools might be a mortgage calculator that processes

               a user’s financial information and provides a monthly mortgage
               payment based on the loan’s principal and term and the borrower’s
               credit information. Instead of processing this data and returning the
               results to the client system, the remote web server might send to the
               local system an applet that enables it to perform those calculations
   576   577   578   579   580   581   582   583   584   585   586