Client-side attack detection via simulation

What is claimed is: 1. A method, comprising: receiving, at a simulation engine of a network device through a first application programming interface from a network, a request directed to a web server for invoking at least one of a plurality of actions at a client device; receiving, at the simulation engine through a second application programming interface from the web server, a first response comprising a first payload that includes the one of the plurality of actions based on the request; receiving, at the simulation engine through the second application programming interface from the web server, a second response concurrently with the first response on a signal path from the web server to the simulation engine that is different from that of the first response, the second response comprising a second payload that corresponds to the first payload; invoking, at the simulation engine, the one of the plurality of actions from the first payload; detecting, at a detection engine of the network device, malicious activity in the one of the plurality of actions; receiving, at the simulation engine from a validation engine of the network device, a validation input indicating that the detecting of the malicious activity is verified; and issuing, by the validation engine to a remediation engine of the network device, a message indicating a security incident relating to the malicious activity, wherein the second response is bypassed to or restricted passage to the network based on a mode of the simulation engine when the detecting is verified. 2. The method of claim 1 , wherein the message comprises an indication of the first payload included in the first response, information indicating an attack vector and a source associated with the request, or an indication of an endpoint for remediation that is vulnerable to an attack by the one of the plurality of actions. 3. The method of claim 1 , further comprising: selecting at least one of a plurality of prediction engines; and training the at least one of the plurality of prediction engines with a training dataset to generate the detection engine. 4. The method of claim 1 , further comprising: verifying, using the validation engine, the malicious activity in the one of the plurality of actions based at least in part on a set of criteria to reduce a rate of false positive detections. 5. The method of claim 4 , further comprising: selecting at least one of a plurality of prediction engines; and training the at least one of the plurality of prediction engines with a training dataset to generate the validation engine. 6. The method of claim 1 , wherein the invoking the one of the plurality of actions comprises invoking, at the simulator engine, at least one of a plurality of cross-site scripts. 7. The method of claim 1 , wherein: the second response is bypassed from the web server to the network through the simulation engine when the simulation engine is set to a detection mode, and the second response is restricted passage from the web server to the network by the simulation engine when the simulation engine is set to a block mode. 8. The method of claim 7 , further comprising: applying, using the simulation engine in the block mode, a blocking operation on the second response to restrict passage of the second response from the web server to the network based on detection of the malicious activity in the first response. 9. The method of claim 1 , further comprising: comparing the first response to the request or a predetermined response associated with the request using a set of predefined rules; and detecting one or more parameters in the first response that deviate from the request or the predetermined response based on the comparing with the set of predefined rules, wherein the issuing the message comprises: issuing the message indicating the security incident based on the detecting of the one or more parameters in the first response that deviate from the request or the predetermined response. 10. The method of claim 1 , wherein the invoking the one of the plurality of actions comprises: selecting at least one of a plurality of virtual machines of the simulation engine; and invoking, using the at least one of the plurality of virtual machines, the one of the plurality of actions. 11. The method of claim 1 , further comprising: determining, using the detection engine, an offset between a time at which the first response is actually received at the simulation engine and a predetermined time at which the first response is expected to be received at the simulation engine, wherein the detecting the malicious activity comprises determining that the offset corresponds to the malicious activity. 12. A system comprising: a non-transitory memory; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising: receiving, through an application programming interface from a web server, a first response comprising a first payload that includes one of a plurality of actions based on a request to the web server and a second response concurrently with the first response on a signal path from the web server to the system that is different from that of the first response, the second response comprising a second payload that corresponds to the first payload; invoking the one of the plurality of actions from the first payload; detecting malicious activity in the one of the plurality of actions; verifying the detecting of the malicious activity in the one of the plurality of actions; and issuing a message indicating a security incident relating to the malicious activity, wherein the second response is bypassed to or restricted passage to a network based on a mode of the system when the malicious activity is verified. 13. The system of claim 12 , wherein the message comprises an indication of the first payload included in the first response, information indicating an attack vector and a source associated with the request, or an indication of an endpoint for remediation that is vulnerable to an attack by the one of the plurality of actions. 14. The system of claim 12 , wherein the operations further comprise: applying a blocking operation on the second payload to restrict passage of the second response from the web server to the network based on detection of the malicious activity in the first payload. 15. The system of claim 12 , wherein the invoking the one of the plurality of actions comprises: selecting at least one of a plurality of virtual machines; and invoking, using the at least one of the plurality of virtual machines, the one of the plurality of actions. 16. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising: receiving, at a simulation engine through an application programming interface to a web server, a first response comprising a first payload that includes one of a plurality of actions based on a request to the web server and a second response concurrently with the first response on a signal path from the web server to the simulation engine that is different from that of the first response, the second response comprising a second payload that corresponds to the first payload; simulating, at the simulation engine, the one of the plurality of actions from the first payload; detecting, at a detection engine, malicious activity in the one of the plurality of actions based on the simulating;