CLIENT-SIDE WEB SECURITY - REPORT source defense
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
source defense
CLIENT-SIDE
WEB SECURITY
REPORT
www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | info@sourcedefense.com
Client-Side Web Security Report
TABLE OF 1. Introduction 3
CONTENTS:
a. Client Side Web Security 3
b. Client Side Attacks 3
c. 3rd Party Scripts 5
d. 3rd Party tools 2010 vs 2020 5
2. Study Methodology 6
a. Growth of 3rd Party Scripts 7
3. Executive Summary 7
a. Study Findings 7
b. 4th Parties and Beyond 9
c. Worldwide Compliance Risks 10
i. GDPR 10
ii. PCI 10
iii. HIPAA 10
4. Recommendations 11
5. About Source Defense 11
2
www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | info@sourcedefense.comClient-Side Web Security Report
INTRODUCTION
Source Defense’s 2020 Client-Side Security Report investigates the daily attacks that sneak
past traditional security measures and wreak havoc on websites. This report represents
INTRODUCTION
known vulnerabilities and attacks featured prominently in 2019 headlines. Traditionally,
client-side security has been an area left out of other industry reports that focus on WAF1,
bots and other traditional security stack inclusions. The growing number of attacks made
it necessary to establish a report focused not just on brand security, but the consumer side
1. i.e., web applications firewalls (WAFs) and how customers are in fact benefiting from security measures and policies.
WHAT IS Client-side security is, oftentimes, the blind spot of many websites. This is the reason we
CLIENT-SIDE decided to start this report with a clear explanation of what it means.
WEB SECURITY Client-side scripting simply means running scripts on the client device, usually within a
web browser. In the browser, client-side processes are almost always written in JavaScript.
There are over 1.7 billion public-facing websites in the world and JavaScript is used on 95
percent of them.
In the era of modern web applications, achieving better performance and experience for
end-users as well as reducing the load from server-side processing, the core logic has
shifted from server-side processing to the browser and Javascript libraries. This trend is
REFERENCES greatly clearly evident in this report 2 - between November 2010 to January 2019 front-
2. https://httparchive.org/reports/state-of-ja
end JavaScript code has grown in size over 347% for desktop and over 593% for mobile
vascript?start=earliest&end=2019_01_01& and keeps growing. JavaScript can be used to interact with the server by performing
view=list background requests.
CLIENT SIDE Each and every client-side web attack is different, but they all rely on the fact that the attackers
WEB ATTACKS have to gain some sort of access to the website visitor’s browser.
Client-side web attacks are rapidly accelerating and they all exploit the trust relationship
between a user and the websites they visit. In fact, according to our research, a new online
attack occurs every 39 seconds. Most client-side attacks are a consequence of a more
sophisticated attack chain that eventually affects the visitors of the website.
An online shopping cart is an extremely valuable target to a hacker due to the fact that all the
payment details from customers' cards have already been collected and are waiting in one
place for a hacker to come along with their malware and take it right out of the cart. Virtually
all ecommerce websites do not thoroughly vet the code which is used by these third- parties,
therefore making the job of a hacker quite simple using their sophisticated malware.
F
Formjacking The term formjacking got its name because initial attacks were identified by breached
forms causing data loss and stolen credentials on a website. Formjacking is a clever type of
cyberattack that can occur when online criminals hack into a website to gain control over
its entry point where sensitive information is provided. This type of hack is most commonly
associated with cybercriminals who seek to steal credit card details, and other various
forms of payment methods, as well as personal information such as phone numbers and
home addresses that could lead to identity theft.
3
www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | info@sourcedefense.comClient-Side Web Security Report
M
Magecart Magecart is the term denoted to at least twelve "groups" of unscrupulous hackers that steal
information from customers payments cards. They target shopping carts from systems like
Magento, where a third-party piece of code compromised from a systems integrator, can
be infected without being picked up by IT. This is known as a supply chain attack.
Magecart works by taking a piece of JavaScript code and substituting it by one of two ways:
It can alter the source or it can use an injection to redirect the shopping cart to a website
containing the malware. 40 different exploits using injection codes have been discovered
by researchers and unfortunately, not every security solution is able accurately detect
malicious threats.
C
Cross-Site Scripting Cross-Site Scripting, commonly referred to as XSS attacks, involve a malicious script that
hackers insert into otherwise benign and trusted websites with a flawed and vulnerable
validation process. The script, which in many cases infiltrates a highly trusted and heavily
used website, is used to convince innocent end-users that the content they are watching or
consuming belongs to the main site. Attackers can then collect data and steal information
and resources. XSS attackers are able to make serious changes to the website and even
modify its HTML page information. The XSS malicious script allows hackers to infiltrate
the users’ cookies data, hijack sessions, redirect links, access personal information, and
much more.
Web Application Attack Frequency, Q2 2017 1
XSS attacks are considered
ONE OF THE TOP 3
MOST FREQUENT 51%
TYPES OF ATTACKS.
KEY:
SQLi - SQL injection
LFI - Local file incusion
XSS - Cross-site scripting
RFI - Request for information
33% PHPi - PHP injection
9%
REFERENCES 2% 2% 2%
1. https://www.akamai.com/us/en/multimedia/ SQLi LFI XSS RFI PHPi Other
documents/state-of-the-internet/q2-2017-
state-of-the-internet-security-report.pdf Figure 3-1:
SQLi, LFI and XSS attacks accounted for 93% of web application attacks in Q2
4
www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | info@sourcedefense.comClient-Side Web Security Report
S.P
Spoofing or Phishing Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be
something else in an attempt to gain our confidence, get access to our systems, steal data,
steal money, or spread malware. Spoofing attacks come in many forms. It can be used to
gain access to a target’s personal information, spread malware through infected links or
attachments, bypass network access controls, or redistribute traffic to conduct a denial-
of-service attack. Spoofing is often the way a bad actor gains access in order to execute
a larger cyber attack.
Website spoofing is the act of creating a website, as a hoax, with the intention of misleading
readers that the website has been created by a different person or organization. JavaScript
can be used to route web pages and information through the attacker's computer, which
impersonates the destination web server. A spoofed site will look like the login page for
the real website—down to the branding, user interface, and even a spoofed domain name
that looks the same at first glance. This attack vector has been around for decades and
REFERENCES continues to be popular because it's difficult to detect until it's too late. As one CAIDA
study1 concluded that there were almost 30,000 spoofing attacks each day – and a total
1. https://www.akamai.com/us/en/multimedia/
documents/state-of-the-internet/q2-2017-
of 21 million attacks on about 6.3 million unique IP addresses between March 1, 2015 and
state-of-the-internet-security-report.pdf Feb. 28, 2017 alone.
Examples of 3rd Party Scripts
3 rd PARTY Social sharing Advertising Video player Analytics & A/B testing
SCRIPTS buttons embeds metrics scripts scripts for
(e.g Twitter, (e.g YouTube, experiments
Facebook, Vimeo)
Instagram)
To master the art of customer attraction and retention in today’s competitive digital
landscape, Organization need to get on board with 3rd party scripts integration. Whether
3 rd PARTY it’s business, consumer, or personal activity, customers want simplicity and efficiency.
SCRIPTS They want to streamline and centralize their lives. 3rd party scripts integration makes for
2010 - PRESENT an impactful and convenient User Experience (UX), one which allows customers to access
scripts that integrate with what they already use. Popular integrations include payment
processing, social media, data tracking, and chat systems.
Source Defense Report Finding: The Top 3rd Party
1
Scripts on your website are:
2
ADVERTISING
SCRIPTS
SITE ANALYTICS
SCRIPTS
3
SOCIAL MEDIA SCRIPTS
5
www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | info@sourcedefense.comClient-Side Web Security Report
Researchers from the University of Washington1 have created a comprehensive analysis
of 3rd party integrations across three decades. They saw a four-fold increase in third-
3 rd PARTY party tracking on top sites from 1996 to 2016, and mapped the growing complexity of
SCRIPTS trackers stretching back decades.
2010 - PRESENT
NUMBER OF
3rd PARTY SCRIPTS
Third-parties requested per site
PER SITE
(top 500 sites)
REFERENCES
1. https://www.washington.edu/
news/2016/08/15/unearthing-trackers-
of-the-past-uw-computer-scientists-
reveal-the-history-of-third-party-web-
tracking/
Year
2. https://trackingexcavator.cs.washington.
edu/InternetJonesAndTheRaidersOfThe Distributions of third-party requests for the top 500 sites 1996-2016. Cente r box lines are medians, whiskers
LostTrackers.pdf end at 1.5*IQR. The increase in both medians and distributions of the data show that more third-parties
are being contacted by popular sites in both the common and extreme cases . 2
STUDY Source Defense’s study is based on 2019 data collected from Source Defense’s global
METHODOLOGY
network and includes hundreds of millions of requests anonymized over thousands of
STUDY domains. Our goal is to offer guidance about the nature and impact of threats to those of
METHODOLOGY you on the frontline of website security.
What makes this report unique is its focus on attack activity from 3rd party scripts, traditionally
a method not covered in State of the Internet reports. Source Defense analyzed over 500
3rd Party Scripts to determine what they were doing, what they had access to, and where
they were found vulnerable.
Every industry has its own attack problems and ecosystem of vulnerabilities.
THE BUSINESS Some of these include:
OF 3 rd PARTY
JAVASCRIPT
ATTACKS IS
MONEY Airlines eCommerce
Event
Finance Healthcare
Ticketing
6
www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | info@sourcedefense.comClient-Side Web Security Report
THE BUSINESS The growing volume of stolen credentials from data breaches is creating a worsening problem
OF 3 rd PARTY for any online business having a login page. Every new data breach sees an increased
availability of credit information and leads to greater attacks in other security areas. With
JAVASCRIPT
over 9 billion credentials stolen since 2013, the problem is already significant—and only
ATTACKS IS getting worse.
MONEY
9,727,967,988
DATA RECORDS LOST OR STOLEN SINCE 2013 1
3rd Party Scripts are a marketers best friend and a security teams worst nightmare. While
promising increased conversions, site performance or other advancements ‘up and to the
THE UNENDING right’ in metrics, a security team is faced with new vulnerability points and potentially
GROWTH OF unmanaged outside access to a high performing website.
3 rd PARTIES
56% OF THE TOP FORTUNE 1000 WEBSITES ALLOW
SOME FORM OF UNAUTHORIZED ACCESS
A new 3rd Party is brought to the market once every 16 days. Hitting closer to home, a
new 3rd Party Script is added on average to a website once every 27 days. Web managers
should be holding monthly audits of their sites, if they are not monitoring in-time access
REFERENCES to these 3rd party scripts. When Newegg was attacked, the script had been living on their
1. https://www.varonis.com/blog/the-world- website for over 3 weeks before someone realized it was there, and by then over millions
in-data-breaches/
of people were impacted.
EXECUTIVE
EXECUTIVE
No Industry is Left Unharmed
SUMMARY
Certain website attacks run across all industries while others are industry-specific.
SUMMARY
Top Industries affected by 3rd Party Breaches
1. eCommerce
2. Travel
3. Finance
4. Healthcare
5. Ticketing
It is expected that eCommerce would be the top impacted industry due to the Magecart
group’s targeted efforts on their payment and login pages. Top eCommerce websites in
both the United States and the United Kingdom were targeted due to their easy access
and utilization of 3rd party scripts (and 4th, 5th and beyond).
7
www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | info@sourcedefense.comClient-Side Web Security Report
ECUTIVE
EXECUTIVE
Top 3 Countries affected by 3rd Party Breaches
MMARY
1. United States
SUMMARY 2. Canada
3. UK
SITES WITH 3rd Party Scripts - Nothing to Celebrate
UNAUTHORIZED
ACCESS Top 3 things scripts are doing on your website without your knowledge
(All Reports) The study found that legitimate scripts are performing actions that are not
approved by you, the website owner.
The top things these scripts were found doing:
1. Read forms on the page
2. Listen to Button Clicks and Link Clicks
3. Listen to input field changes
Percantage of sites vulnerable
70
60
50
40
30 AVERAGE NUMBER OF 3rd + PARTIES ON SENSITIVE PAGES: 20
20
10
0
AccessFormAndInput ButtonClickListeners LinkClickListeners FormSubmitListeners FormsAndInputs InputChangeListeners
Most Affected Sensitive Pages
Payment Login / Credential Account
Collection Capture Pages Registration
Pages Pages
How often do 3rd Parties Change on Your Website?
There is really no guarantee that the code hosted at the 3rd party will remain the same.
New features may be pushed in the 3rd party code at any time, thus potentially breaking
the interface or data-flows and exposing the availability of your website to users.
Every third party service code is likely to change a few times a month. There are over 200
code changes on every website that website owners need to manage every month.
8
www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | info@sourcedefense.com
info@sourcedefense.comClient-Side Web Security Report
When we discuss Magecart attacks, we focus on 3rd party scripts as the enablers of such
security breaches, but it’s important to note that the hacking process doesn’t end there.
4 th PARTIES These scripts, which collaborate with websites of all types and sizes, also interact with other
AND BEYOND external suppliers. There are many relationships down the chain and these interactions,
once breached, put everyone involved in danger.
GOING This also means that even the most security-driven websites, who audit and test the
BEYOND vulnerability of the 3rd party scripts they interact with (which is in itself rare and difficult to
follow through), still remain exposed through the 4th and 5th party scripts these suppliers
3rd PARTY
interact with. This makes the process of fully protecting websites and their users from
TOOLS Magecart attacks scripts much more challenging.
4th Party
Remote Server
5th Party
Remote
3rd Party 4th Party Server
Remote Server Remote Server
5th Party
Remote Server
4th Party 3rd Party
Remote Server Remote Server
3rd Party
Remote Server
3rd Party 3rd Party
Remote Server Remote Server
4th Party 4th Party
Remote Server Remote Server
3rd Party
5th Party 5th Party
Remote Server
Remote Remote Server
Server
4th Party
Remote Server
Average Number of 4th Party Scripts by Industry
Average: 7
30
25
20
Average 3rd party scripts per site
Average 4th party scripts per site 15
Average Number of scripts on 10
sensitive pages 7
5
Average
0
Te
Pe
Sh
Tr
Bu
He
St
Ne
Ho
Ar
No
Sp
Fo
Ed
Au
Al
l
a
yl
t&
c
od
ro
uc
op
to
or
s in
al
w
n-
bb
ve
hn
e&
s/
th
na
m
t
St
at
pi
En
l
ie
&
es
ol
ot
io
an
&
ng
W
lF
Fa
s&
Dr
te
s
og
iv
n
Fi
ea
in
da
s
in
rt
e
y&
In
hi
tn
an
th
ai
k
rt
te
on
es
nm
er
ce
Co
Co
re
s
/I
st
m
en
nt
nf
s
pu
en
t
or
t in
t
m
g
at
io
n
9
www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | info@sourcedefense.comClient-Side Web Security Report
WORLDWIDE As is well understood, GDPR specifies a compliance framework upon which to build an
COMPLIANCE
infrastructure capable of maintaining responsible customer data privacy and control.
WORLDWIDE Violation of GDPR provisions could result in fines of up to 4% of a company’s global annual
COMPLIANCE revenues for any organization handling the personal data of EU citizens. Although no
RISKS
RISKS
single vendor is capable of delivering a completely holistic GDPR solution, the below data
surfaces a critical website exposure that must be considered in ALL preparation associated
with GDPR compliance.
PCI GDPR
Top GDPR Source Defense specifically addresses multiple articles defined in the GDPR framework
Compliance Risk that, without a dedicated solution, your organization would remain in non-compliance.
Violations
1. Article 5 - Processing of Personal Data
2. Article 16 - Rectify personal data
3. Article 17- Erase personal data
4. Article 18 - Restrict personal data
5. Article 32 - Ensure system confidentiality
PCI Compliance The PCI DSS framework offers testing and validation requirements and strategies for
processing, storing and transmitting payment card transactions. The intent of the framework
is to provide constructive guidance on securing payment transactions end- to-end. The
standards created include controls for handling and restricting credit card information.
The PCI DSS framework also distinguishes between data in transit as well as data at rest. In
other words, organizations must protect real time data transactions as well as when stored
for future use. However, the current approach does not address a critical and currently
pervasively exploited stage in the data lifecycle – data creation.
As online eCommerce continues to grow, and payment data is exchanged on websites at
an ever-increasing volume, the PCI framework should review specific and new controls and
requirements for the primary organization point of payment data: the corporate website.
Currently the PCI framework does not specify controls for this vulnerable and increasingly
exploited organization point of payment data.
HIPAA
HIPAA Compliance The website is increasingly central to a healthcare organization’s customer and interactions.
Unfortunately, the Internet has significantly extended an organization’s necessary security
perimeter since enabling and enriching a website allows hackers to take advantage of the
fact that the attack surface extends across the entire Internet. This website attack surface
includes a great many supply chain vendors which enrich the website customer experience
and help extract insightful analytics.
These supply chain vendors (and the hackers that exploit them) introduce a universal client-
side website vulnerability that grants nearly unlimited access to every element or your web
pages on the client side through completely unmanaged connections with corresponding
external 3rd party servers. Making matters worse, these 3rd party website supply chain
vendors are almost certainly less secure than the typical enterprise. This provides hackers
with a comparatively simpler path to access your website content, data, and customers.
10
www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | info@sourcedefense.comRECOMMEN
Client-Side Web Security Report
RECOMMENDATIONS 1. Monitor Outbound Traffic: A preliminary way to assess the security on your site is by
monitoring your site’s outbound traffic. If you begin to pick up on unknown sources that
data is being transferred to, then that can be an early detection that requires further
investigation into your sites code.
2. Perform Routine Audits: While a cyberattack can happen to any business and at
anytime, it’s essential that you know what to look for to ensure that everything is
performing normally. Frequently reviewing your website’s code is extremely necessary
as formjacking can be known as an undetectable hack. You may not realize your security
has been compromised until it is too late.
3. Assess Third-Party Applications: This is where Magecart has been known to expose
a website’s fragility and take advantage of the information that’s divulged from this
hack. You entrust third party applications to handle various aspects of your business
but need to verify that their security is reliable and just as aware of formjacking and
other common cyberattacks.
4. Pay attention to Public Data Breaches
5. Evaluate a Client-Side Security Solution
RECEIVE A FREE WEBSITE RISK ASSESSMENT
About
Source Defense is the market leader in Client-side Web Security, providing real time threat
protection against vulnerabilities originating in third-party scripts such as Magecart &
Source Formjacking attacks.
Defense With their patented VICE platform, Source Defense protects web pages from vulnerabilities
in third-party scripts. Source Defense’s solution isolates those scripts from the web page
and allows them to read and write according to a given permission either defined by Source
Defense’s recommended standards, or specific company policies.
Source Defense extends the traditional security perimeter to protect your customers and
fortify your security stack in real-time.
TO LEARN MORE VISIT w w w. s ource defen s e .com
11
www.sourcedefense.com © 2020 Source Defense. All Rights Reserved. | info@sourcedefense.comYou can also read
