Browser Storage Data Access
Network Sniffing and Manipulation
Malicious scripts can monitor browser events, form input changes and user interaction. These scripts have the ability to observe, collect and report any kind of data associated with the web page. Usually, this data is captured and exported to an unknown location and an unauthorized server or service using different types of network protocols suggested by the browser. From payment information to personal information, everything is at risk and could be stolen.
Real Life Threats and Stories
Digital Skimming and Magecart
Example: In January 2022, Segway fell victim to a Magecart attack that allowed cybercriminals to access customers’ credit card information. Attackers embedded malicious code in an icon file for displaying Segway’s logo on users’ browser. The file wasn’t inherently malicious itself, but dynamically loaded the skimmer in users’ browsers — remaining invisible to anyone examining the HTML source code. And because the logo was still rendered correctly, the malicious code was not apparent externally either. It was estimated that the skimmer had been active for several weeks before it was discovered, exposing the data of customers in the United States, Australia, Canada, the UK and Germany. By debugging the skimmer’s loader, researchers revealed its command-and-control (C2) URL, booctstrap[.]com, which is a known skimmer domain that had been active for several months.
PII Harvesting and Formjacking
PII harvesting is when cybercriminals inject malicious scripts to manipulate your website forms. Also called formjacking, this allows the attacker to collect personally identifiable information (PII) from your users when they submit a form, usually on a login or checkout page. The PII data may then be sold on the dark web and or used in subsequent attacks such as credential stuffing, carding, and account takeover (ATO). These attacks take place on the client side, so they often aren’t caught by code scanners and web application firewalls (WAFs).Because it’s difficult to get visibility into how code is behaving in users’ browsers, these PII harvesting can go undetected.
Session and Credential Hijacking
How To Protect Your Web App
There is no silver bullet to protect against all client-side attacks, but here are a few options to significantly reduce your risk:
Content Security Policy
SAST and External Scanners
Static Application Security Testing (SAST) is a technique for examining an application’s source code before it is run. You can also use external scanners to analyze scripts in a sandbox environment to detect malicious behavior. These methods allow you to proactively identify potential code vulnerabilities and get a snapshot of how client-side code is behaving. However, malicious scripts have gotten smarter; many will only load in a real client-side environment to avoid detection by SAST and scanner. Furthermore, scripts that load dynamically in browsers will remain undetected. Even if an external scanner does find malicious activity, all they can do is issue an alert; they cannot actually block it.
The Right Approach
Manual code analysis and static scanning won’t give you complete visibility into client-side code that loads dynamically. For that, you need a security solution that delivers continuous insights into the behavior of first-, third, and nth-party code in users’ browsers. This gives you real-time visibility into scripts that are accessing sensitive fields and exfiltrating the data in real-time, as well as code with known vulnerabilities.
This blog has been updated since its original publish date, June 11, 2019.