It’s time to get out of the box on the server side: stop leaving the client side open to attack


By source of defense

Cybersecurity’s historic obsession with server-side security blinds too many organizations to an attack vector that has the potential to destroy customer trust, ruin brands, and cost tens to hundreds of millions of dollars. in fines and judgments.

The JavaScript running on your customer-facing sites – whether it’s the proprietary code your teams have implemented or the dozens of third-party, 4th and 5th-party scripts your supply chain partners are running on your site – opens the door to the client- secondary attacks such as Magecart, formjacking, digital skimming and credential harvesting.

In 2020 alone, there were 425 such attacks per month. It is an almost ubiquitous threat vector that affects over 95% of websites worldwide. Sounds like another hornet’s nest to deal with, right? It is, but closing that gap is probably the easiest thing you’ve ever tackled in your career.

The COVID-19 pandemic has ushered in a new normal where consumers are flocking online to conduct financial business, e-commerce, book travel, plan leisure, and more. And with the barrier of entry for cybercriminals being so low, the volume and pace of customer-side attacks will only heat up. Now is the time to consider client-side security and protection of web applications against these attacks.

Since the first reported Magecart attack in 2014, there have been millions of successful client-side attacks. In 2018, client-side attacks were up 72% year over year. Today, client-side attack kits can be purchased on the dark web and their complexity has increased dramatically, resulting in a steady rhythm of alerts and warnings from the FBI, PCI Council, and Department of Homeland Security.

To date, the list of victims of client-side attacks reads like a who’s who of online brands in e-commerce: Macy’s, Ticketmaster, BestBuy, British Airways, Claire’s, Warner Music and Mission Health, among others. No organization, regardless of industry or security budget, is immune to client-side attacks. Why?

The answer to why client-side attacks are relatively easy to perform and are becoming more and more prevalent is simple: attackers compromise the source code (usually Javascript, which has full access and control over your Document Object Model(DOM)); the malicious code is then executed in the client browser and the data is exfiltrated before being sent to the server. They steal data at the point of entry – right from your online forms!

So unless you have visibility into all third-party JavaScript running your ad plugins, analytics, social media, payment card processing, or contact forms, your business is at risk. These third-party, 4th and 5th vendors have extended your security perimeter beyond the control of your security team. You are assured that every time your business loads a web page for a visitor, none of the third parties in your digital supply chain are compromised or upload malicious code.

The same goes for your proprietary code, such as file hosting, content delivery networks, and open source JavaScript libraries. What scripts interact with form fields on specific pages? What scripts listen for keyboard events and do they need to? These rules must be applied in real time in the web browser.

Firewalls and WAFs are not enough – Source Defense offers the solution

One of the most common misconceptions among security professionals is that their firewalls and web application firewalls (WAFs) should handle the problem of client-side attacks. Not true. Security tools such as WAFs are designed to handle incoming threats to the web server. Javascript access to the DOM web page takes place outside this security perimeter.

With Source Defense Protect, you have a simple, effective, easy-to-deploy, and easy-to-manage solution to the client-side security problem.

Source Defense forces third-party scripts to load in an isolated virtual page on the client side. This isolation allows third parties to behave in a controlled environment, allowing Source Defense to allow or deny behavior based on the best security protocols, data privacy policies, and standardized rules we have in place.

Virtual pages are an exact replica of the original pages, excluding what third parties are not meant to see. We monitor all third-party scripting activity on virtual pages. If the activity is within the limits of what they are authorized to do, we will transfer it from the virtual page to the original page. If not, we’ll keep their activity on the virtual pages isolated from the user and send a report to the e-commerce website owner, alerting them to third-party scripts that have violated their security policy.

With client-side attacks on the rise, ensuring that your customer’s payment and personal information is protected should be a priority if you want to avoid the implications of a data breach.

Source Defense Protect can protect your website against the growing threat of Magecart, Formjacking and other digital skimming cyberattacks:

  • Isolate scripts from the page
  • Avoid Harmful Activities
  • Apply best practices
  • Improving Websites Safely
  • Continue to benefit from third parties

The message It’s time to think outside the box on the server side:
Stop Leaving the Client Side Open to Attack appeared first on Source Defence.

*** This is a Security Bloggers Network syndicated blog from Blog – Source Defense written by [email protected]. Read the original post at:


Comments are closed.