Client-Side Security

Client-SideBrowser SecurityXSSCSRF

Client-Side Security vulnerabilities at a glance

What it is: Vulnerabilities in web applications that allow attackers to execute malicious actions in users' browsers, including script injection, request forgery, UI manipulation, and cross-origin policy bypasses.
Why it happens: Client-side vulnerabilities typically arise from improper handling of untrusted input, insufficient enforcement of security controls in the browser, and overly permissive configurations that expose sensitive functionality or data.
How to fix: Make sure you have proper input sanitization and output encoding, enforce CSRF protections, apply a strict Content Security Policy, and configure CORS with the principle of least privilege.

Overview

Client-side security vulnerabilities exploit the trust relationship between users and web applications. These attacks execute in the victim's browser context, allowing attackers to steal sensitive data, perform unauthorized actions, manipulate the user interface, or bypass security boundaries.

There are different types of vulnerabilities that modern web applications must defend against such as: Cross-Site Scripting (XSS), Clickjacking, Open Redirects, and CORS. Proper client-side security requires input sanitization, output encoding, security headers, and strict origin policies.

sequenceDiagram participant Attacker participant Victim participant App as Web Application Attacker->>App: POST /comment (content: <script>steal()</script>) App->>App: Store without sanitization Victim->>App: GET /view-comments App-->>Victim: HTML with unsanitized script Victim->>Victim: Browser executes malicious script Victim->>Attacker: Stolen session data Note over App: Missing: Output encoding<br/>Missing: Content Security Policy
A potential flow for a Client-Side Security exploit

Where it occurs

Client-side vulnerabilities occur in browser-executed code that mishandles untrusted input, lacks CSRF protections, or allows unsafe framing and redirects.

Impact

Client-side vulnerabilities can lead to session hijacking and account takeover, credential theft through keylogging or form manipulation, and unauthorized actions performed on behalf of users.

Prevention

Sanitize and encode user input appropriately, enforce a strict Content Security Policy, and use anti-CSRF tokens for all state-changing actions.

Specific Vulnerabilities

Explore specific vulnerability types within this category:

Clickjacking

Your pages can be embedded in an iframe by another site, so attackers overlay UI to trick users into clicking sensitive actions.

UI Redress Attack Framejacking
6 code examples
Learn more →

Cross Site Scripting (XSS)

Untrusted content ends up in a browser in an executable context, which lets attackers run JavaScript in a user's session.

XSS Script Injection Template XSS +1 more
6 code examples
Learn more →

Cross Site Request Forgery

A different origin makes the victim's browser send a state changing request that carries the victim's cookies or ambient credentials.

CSRF Session Riding Cross Site Form Posting
6 code examples
Learn more →

Misconfigured CORS

Cross-Origin Resource Sharing (CORS) misconfigurations that allow untrusted origins to access sensitive resources, enabling cross-origin attacks and data theft.

CORS Cross-Origin Resource Sharing CORS Bypass
2 code examples
Learn more →

Open Redirect

The application redirects users to a URL that attackers can control, often via `next`, `returnUrl`, or `to` parameters.

Unvalidated Redirect
6 code examples
Learn more →

Detect These Vulnerabilities in Your Code

Sourcery automatically identifies client-side security and related vulnerabilities in your codebase.

Scan Your Code for Free