Why are clients so weak?
Client-focused attacks span several of the OWASP 2013 and 2017's Top 10 Threat categories. Client-side attacks using DOM-based Cross Site Scripting (XSS) are a powerful method of leveraging weaknesses in validation to embed scripts into web responses and inserting code into clients. The client-focused, DOM-based XSS can deliver code to the clients to effect compromises made on web applications, but there is a variety of vulnerabilities that hackers will exploit to reach and impact clients, such as a unvalidated redirects and forwards, websockets attacks, or clickjacking. A third category in both the 2013 and 2017 versions of the OWASP Top 10 is a vulnerability to Cross-Site Request Forgery (CSRF), which leverages victim clients as a pivot and takes advantage of their authenticated status to compromise other sites.
There are other attacks that bleed over into other areas within the OWASP Top 10 and have been covered in earlier efforts, but we'll revisit some of them...
