client-side web security report€¦ · client-side web attacks are rapidly accelerating and they...

source defense

CLIENT-SIDE WEB SECURITY REPORT

www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | [email protected]

http://www.sourcedefense.com

mailto:%20%20info%40sourcedefense.com?subject=

2


Client-Side Web Security Report

1. Introduction

a. Client Side Web Security

b. Client Side Attacks

c. 3rd Party Scripts

d. 3rd Party tools 2010 vs 2020

2. Study Methodology

a. Growth of 3rd Party Scripts

3. Executive Summary

a. Study Findings

b. 4th Parties and Beyond

c. Worldwide Compliance Risks

i. GDPR

ii. PCI

iii. HIPAA

4. Recommendations

5. About Source Defense

3

3

3

5

5

6

7

7

7

9

10

10

10

10

11

11

TABLE OFCONTENTS:



3



Source Defense’s 2020 Client-Side Security Report investigates the daily attacks that sneak past traditional security measures and wreak havoc on websites. This report represents known vulnerabilities and attacks featured prominently in 2019 headlines. Traditionally, client-side security has been an area left out of other industry reports that focus on WAF1, bots and other traditional security stack inclusions. The growing number of attacks made it necessary to establish a report focused not just on brand security, but the consumer side and how customers are in fact benefiting from security measures and policies.

Client-side security is, oftentimes, the blind spot of many websites. This is the reason we decided to start this report with a clear explanation of what it means.

Client-side scripting simply means running scripts on the client device, usually within a web browser. In the browser, client-side processes are almost always written in JavaScript. There are over 1.7 billion public-facing websites in the world and JavaScript is used on 95 percent of them.

In the era of modern web applications, achieving better performance and experience for end-users as well as reducing the load from server-side processing, the core logic has shifted from server-side processing to the browser and Javascript libraries. This trend is greatly clearly evident in this report2 - between November 2010 to January 2019 front-end JavaScript code has grown in size over 347% for desktop and over 593% for mobile and keeps growing. JavaScript can be used to interact with the server by performing background requests.

Each and every client-side web attack is different, but they all rely on the fact that the attackers have to gain some sort of access to the website visitor’s browser.

Client-side web attacks are rapidly accelerating and they all exploit the trust relationship between a user and the websites they visit. In fact, according to our research, a new online attack occurs every 39 seconds. Most client-side attacks are a consequence of a more sophisticated attack chain that eventually affects the visitors of the website.

An online shopping cart is an extremely valuable target to a hacker due to the fact that all the payment details from customers' cards have already been collected and are waiting in one place for a hacker to come along with their malware and take it right out of the cart. Virtually all ecommerce websites do not thoroughly vet the code which is used by these third- parties, therefore making the job of a hacker quite simple using their sophisticated malware.

INTRODUCTIONINTRODUCTION

WHAT IS CLIENT-SIDE WEB SECURITY

CLIENT SIDE WEB ATTACKS

F The term formjacking got its name because initial attacks were identified by breached forms causing data loss and stolen credentials on a website. Formjacking is a clever type of cyberattack that can occur when online criminals hack into a website to gain control over its entry point where sensitive information is provided. This type of hack is most commonly associated with cybercriminals who seek to steal credit card details, and other various forms of payment methods, as well as personal information such as phone numbers and home addresses that could lead to identity theft.

Formjacking

1. i.e., web applications firewalls (WAFs)

2. https://httparchive.org/reports/state-of-ja

vascript?start=earliest&end=2019_01_01&

view=list

REFERENCES



https://www.washington.edu/news/2016/08/15/unearthing-trackers-of-the-past-uw-computer-scientists-reveal-the-history-of-third-party-web-tracking/


https://httparchive.org/reports/state-of-javascript?start=earliest&end=2019_01_01&view=list



4



M Magecart is the term denoted to at least twelve "groups" of unscrupulous hackers that steal information from customers payments cards. They target shopping carts from systems like Magento, where a third-party piece of code compromised from a systems integrator, can be infected without being picked up by IT. This is known as a supply chain attack.

Magecart works by taking a piece of JavaScript code and substituting it by one of two ways: It can alter the source or it can use an injection to redirect the shopping cart to a website containing the malware. 40 different exploits using injection codes have been discovered by researchers and unfortunately, not every security solution is able accurately detect malicious threats.

Magecart

XSS attacks are considered

ONE OF THE TOP 3 MOST FREQUENT TYPES OF ATTACKS.

KEY:

Web Application Attack Frequency, Q2 2017 1

51%

33%

9%2% 2% 2%

Figure 3-1: SQLi, LFI and XSS attacks accounted for 93% of web application attacks in Q2

C Cross-Site Scripting, commonly referred to as XSS attacks, involve a malicious script that hackers insert into otherwise benign and trusted websites with a flawed and vulnerable validation process. The script, which in many cases infiltrates a highly trusted and heavily used website, is used to convince innocent end-users that the content they are watching or consuming belongs to the main site. Attackers can then collect data and steal information and resources. XSS attackers are able to make serious changes to the website and even modify its HTML page information. The XSS malicious script allows hackers to infiltrate the users’ cookies data, hijack sessions, redirect links, access personal information, and much more.

Cross-Site Scripting

SQLi LFI RFIXSS OtherPHPi

SQLi - SQL injection

LFI - Local file incusion

XSS - Cross-site scripting

RFI - Request for information

PHPi - PHP injection

1. https://www.akamai.com/us/en/multimedia/

documents/state-of-the-internet/q2-2017-

state-of-the-internet-security-report.pdf

REFERENCES



https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q2-2017-state-of-the-internet-security-report.pdf




5



S.P Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be something else in an attempt to gain our confidence, get access to our systems, steal data, steal money, or spread malware. Spoofing attacks come in many forms. It can be used to gain access to a target’s personal information, spread malware through infected links or attachments, bypass network access controls, or redistribute traffic to conduct a denial-of-service attack. Spoofing is often the way a bad actor gains access in order to execute a larger cyber attack.

Website spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organization. JavaScript can be used to route web pages and information through the attacker's computer, which impersonates the destination web server. A spoofed site will look like the login page for the real website—down to the branding, user interface, and even a spoofed domain name that looks the same at first glance. This attack vector has been around for decades and continues to be popular because it's difficult to detect until it's too late. As one CAIDA study1 concluded that there were almost 30,000 spoofing attacks each day – and a total of 21 million attacks on about 6.3 million unique IP addresses between March 1, 2015 and Feb. 28, 2017 alone.

Spoofing or Phishing

3 rd PARTYSCRIPTS

Examples of 3rd Party Scripts

Source Defense Report Finding: The Top 3rd Party Scripts on your website are:

2 31SITE ANALYTICSSCRIPTSADVERTISING

SCRIPTS SOCIAL MEDIA SCRIPTS

Social sharing buttons (e.g Twitter, Facebook,Instagram)

Advertising Video player embeds (e.g YouTube, Vimeo)

Analytics & metrics scripts

A/B testing scripts for experiments

To master the art of customer attraction and retention in today’s competitive digital landscape, Organization need to get on board with 3rd party scripts integration. Whether it’s business, consumer, or personal activity, customers want simplicity and efficiency. They want to streamline and centralize their lives. 3rd party scripts integration makes for an impactful and convenient User Experience (UX), one which allows customers to access scripts that integrate with what they already use. Popular integrations include payment processing, social media, data tracking, and chat systems.

1. https://www.akamai.com/us/en/multimedia/

documents/state-of-the-internet/q2-2017-

state-of-the-internet-security-report.pdf

REFERENCES

3 rd PARTY SCRIPTS 2010 - PRESENT




6



Th

ird

-pa

rtie

s re

qu

est

ed

pe

r si

te

Year

NUMBER OF 3rd PARTY SCRIPTS PER SITE (top 500 sites)

Distributions of third-party requests for the top 500 sites 1996-2016. Cente r box lines are medians, whiskers end at 1.5*IQR. The increase in both medians and distributions of the data show that more third-parties are being contacted by popular sites in both the common and extreme cases.2

1. https://www.washington.edu/

news/2016/08/15/unearthing-trackers-

of-the-past-uw-computer-scientists-

reveal-the-history-of-third-party-web-

tracking/

2. https://trackingexcavator.cs.washington.

edu/InternetJonesAndTheRaidersOfThe

LostTrackers.pdf

REFERENCES

Source Defense’s study is based on 2019 data collected from Source Defense’s global network and includes hundreds of millions of requests anonymized over thousands of domains. Our goal is to offer guidance about the nature and impact of threats to those of you on the frontline of website security.

What makes this report unique is its focus on attack activity from 3rd party scripts, traditionallya method not covered in State of the Internet reports. Source Defense analyzed over 500 3rd Party Scripts to determine what they were doing, what they had access to, and where they were found vulnerable.

STUDY METHODOLOGY

STUDY METHODOLOGY

Researchers from the University of Washington1 have created a comprehensive analysis of 3rd party integrations across three decades. They saw a four-fold increase in third-party tracking on top sites from 1996 to 2016, and mapped the growing complexity of trackers stretching back decades.

3 rd PARTY SCRIPTS2010 - PRESENT

THE BUSINESS OF 3 rd PARTY JAVASCRIPT ATTACKS IS MONEY

Every industry has its own attack problems and ecosystem of vulnerabilities. Some of these include:

Airlines eCommerce Finance HealthcareEvent

Ticketing





7



The growing volume of stolen credentials from data breaches is creating a worsening problem for any online business having a login page. Every new data breach sees an increased availability of credit information and leads to greater attacks in other security areas. With over 9 billion credentials stolen since 2013, the problem is already significant—and only getting worse.

DATA RECORDS LOST OR STOLEN SINCE 2013 1

THE BUSINESS OF 3 rd PARTY JAVASCRIPT ATTACKS IS MONEY

9,727,967,9883rd Party Scripts are a marketers best friend and a security teams worst nightmare. While promising increased conversions, site performance or other advancements ‘up and to the right’ in metrics, a security team is faced with new vulnerability points and potentially unmanaged outside access to a high performing website.

A new 3rd Party is brought to the market once every 16 days. Hitting closer to home, a new 3rd Party Script is added on average to a website once every 27 days. Web managers should be holding monthly audits of their sites, if they are not monitoring in-time access to these 3rd party scripts. When Newegg was attacked, the script had been living on their website for over 3 weeks before someone realized it was there, and by then over millions of people were impacted.

THE UNENDING GROWTH OF 3rd PARTIES

56% OF THE TOP FORTUNE 1000 WEBSITES ALLOW SOME FORM OF UNAUTHORIZED ACCESS

1. https://www.varonis.com/blog/the-world-

in-data-breaches/

REFERENCES

EXECUTIVE SUMMARY

EXECUTIVE SUMMARY

No Industry is Left UnharmedCertain website attacks run across all industries while others are industry-specific.

Top Industries affected by 3rd Party Breaches

1. eCommerce

2. Travel

3. Finance

4. Healthcare

5. Ticketing

It is expected that eCommerce would be the top impacted industry due to the Magecart group’s targeted efforts on their payment and login pages. Top eCommerce websites in both the United States and the United Kingdom were targeted due to their easy access and utilization of 3rd party scripts (and 4th, 5th and beyond).




8



Top 3 Countries affected by 3rd Party Breaches

1. United States

2. Canada

3. UK

3rd Party Scripts - Nothing to Celebrate

Top 3 things scripts are doing on your website without your knowledge

The study found that legitimate scripts are performing actions that are not approved by you, the website owner.

The top things these scripts were found doing:

1. Read forms on the page

2. Listen to Button Clicks and Link Clicks

3. Listen to input field changes

Most Affected Sensitive Pages

How often do 3rd Parties Change on Your Website?

There is really no guarantee that the code hosted at the 3rd party will remain the same. New features may be pushed in the 3rd party code at any time, thus potentially breaking the interface or data-flows and exposing the availability of your website to users.

Every third party service code is likely to change a few times a month. There are over 200 code changes on every website that website owners need to manage every month.

[email protected]

SITES WITH UNAUTHORIZED ACCESS (All Reports)

Per

can

tag

e of

sit

es v

uln

erab

le

AccessFormAndInput

70

60

50

40

30

20

10

0

ButtonClickListeners LinkClickListeners FormSubmitListeners FormsAndInputs InputChangeListeners

EXECUTIVE SUMMARY

EXECUTIVE SUMMARY

Login / Credential Capture Pages

Account Registration Pages

Payment CollectionPages

AVERAGE NUMBER OF 3rd + PARTIES ON SENSITIVE PAGES: 20



mailto:info%40sourcedefense.com?subject=



9



4th PARTIES AND BEYOND

GOING BEYOND 3rd PARTY TOOLS

When we discuss Magecart attacks, we focus on 3rd party scripts as the enablers of such security breaches, but it’s important to note that the hacking process doesn’t end there. These scripts, which collaborate with websites of all types and sizes, also interact with other external suppliers. There are many relationships down the chain and these interactions, once breached, put everyone involved in danger.

This also means that even the most security-driven websites, who audit and test the vulnerability of the 3rd party scripts they interact with (which is in itself rare and difficult to follow through), still remain exposed through the 4th and 5th party scripts these suppliers interact with. This makes the process of fully protecting websites and their users from Magecart attacks scripts much more challenging.

5th PartyRemote Server










3rd PartyRemote Server






Average Number of 4th Party Scripts by Industry

30

25

20

15

10

5

0Technology & Computing

Peronal Finance

Shopping

Travel

Business

Health & Fitness

Style & Fashion

News / Weather / Information

Hobbies & Interests

Art & Entertainment

Non-Standart Content

SportFood & Drink

Education

Automotive

All

Average 3rd party scripts per site

Average 4th party scripts per site

Average Number of scripts onsensitive pages

Average

7

Average: 7




10



GDPR

PCI

WORLDWIDE COMPLIANCE RISKS

WORLDWIDE COMPLIANCE RISKS

Top GDPRCompliance Risk Violations

PCI Compliance

As is well understood, GDPR specifies a compliance framework upon which to build an infrastructure capable of maintaining responsible customer data privacy and control. Violation of GDPR provisions could result in fines of up to 4% of a company’s global annual revenues for any organization handling the personal data of EU citizens. Although no single vendor is capable of delivering a completely holistic GDPR solution, the below data surfaces a critical website exposure that must be considered in ALL preparation associated with GDPR compliance.

Source Defense specifically addresses multiple articles defined in the GDPR framework that, without a dedicated solution, your organization would remain in non-compliance.

1. Article 5 - Processing of Personal Data

2. Article 16 - Rectify personal data

3. Article 17- Erase personal data

4. Article 18 - Restrict personal data

5. Article 32 - Ensure system confidentiality

The PCI DSS framework offers testing and validation requirements and strategies for processing, storing and transmitting payment card transactions. The intent of the framework is to provide constructive guidance on securing payment transactions end- to-end. The standards created include controls for handling and restricting credit card information. The PCI DSS framework also distinguishes between data in transit as well as data at rest. In other words, organizations must protect real time data transactions as well as when stored for future use. However, the current approach does not address a critical and currently pervasively exploited stage in the data lifecycle – data creation.

As online eCommerce continues to grow, and payment data is exchanged on websites at an ever-increasing volume, the PCI framework should review specific and new controls and requirements for the primary organization point of payment data: the corporate website. Currently the PCI framework does not specify controls for this vulnerable and increasingly exploited organization point of payment data.

HIPAAHIPAA Compliance The website is increasingly central to a healthcare organization’s customer and interactions.

Unfortunately, the Internet has significantly extended an organization’s necessary security perimeter since enabling and enriching a website allows hackers to take advantage of the fact that the attack surface extends across the entire Internet. This website attack surface includes a great many supply chain vendors which enrich the website customer experience and help extract insightful analytics.

These supply chain vendors (and the hackers that exploit them) introduce a universal client-side website vulnerability that grants nearly unlimited access to every element or your web pages on the client side through completely unmanaged connections with corresponding external 3rd party servers. Making matters worse, these 3rd party website supply chain vendors are almost certainly less secure than the typical enterprise. This provides hackers with a comparatively simpler path to access your website content, data, and customers.



11



RECOMMENDATIONSRECOMMENDATIONS 1. Monitor Outbound Traffic: A preliminary way to assess the security on your site is by monitoring your site’s outbound traffic. If you begin to pick up on unknown sources that data is being transferred to, then that can be an early detection that requires further investigation into your sites code.

2. Perform Routine Audits: While a cyberattack can happen to any business and at anytime, it’s essential that you know what to look for to ensure that everything is performing normally. Frequently reviewing your website’s code is extremely necessary as formjacking can be known as an undetectable hack. You may not realize your security has been compromised until it is too late.

3. Assess Third-Party Applications: This is where Magecart has been known to expose a website’s fragility and take advantage of the information that’s divulged from this hack. You entrust third party applications to handle various aspects of your business but need to verify that their security is reliable and just as aware of formjacking and other common cyberattacks.

4. Pay attention to Public Data Breaches

5. Evaluate a Client-Side Security Solution

AboutSource Defense

TO LEARN MORE VISIT w w w.sourcedefense.com

Source Defense is the market leader in Client-side Web Security, providing real time threat protection against vulnerabilities originating in third-party scripts such as Magecart & Formjacking attacks.

With their patented VICE platform, Source Defense protects web pages from vulnerabilities in third-party scripts. Source Defense’s solution isolates those scripts from the web page and allows them to read and write according to a given permission either defined by Source Defense’s recommended standards, or specific company policies.

Source Defense extends the traditional security perimeter to protect your customers and fortify your security stack in real-time.

RECEIVE A FREE WEBSITE RISK ASSESSMENT




client-side web security report€¦ · client-side web attacks are rapidly accelerating and they...

Documents