Technoroll

Your Site’s Blind Spots Are your Biggest Security Threat

Websites are evolving. The meteoric rise of eCommerce over the last decade has cemented the importance of a new wave of website design. Dynamic websites boast higher engagement; greater conversion rates; and more paid customers. However, the surge in these sites have opened the floodgates for serious security oversights. In the worst instances, companies seeking higher ROI have gone on to sacrifice client side security

The Rise of Third-Party Scripts

In the first few years of the internet, webpages were limited to pages of simple HTML or, as creator Tim Berners-Lee simply called it, hypertext. His concept in 1989 was a system of hypertext documents, each of which could be viewed by independent browsers. One of the earliest web pages contained a phone book for Berners-Lee employers, CERN. Other pages began to pop up, including guides for using CERN’s own central computers. The search function relied solely on specific keywords – there were no algorithmic search engines in 1990.

In 1991, these pages became available for colleagues on other CERN computers. Global interest began to spread after Berners-Lee announced his WWW software in various newsgroups. The first browsers were offered by exclusive NeXT computers, until CERN intern Nicola Pellow wrote a simpler form of browser that could be run on any system. The very first web server was brought online in December 1991, at the Stanford Linear Accelerator Center (SLAC) in California. Less than three years later, the world wide web had already gained 10,000 servers, supporting the browsing and surfing habits of over 10 million users.

Nowadays, modern sites are totally alien to the bare HTML pages of 1991. A focus on user experience has seen increasing pressure to adapt pages to the user’s own interest. This describes a dynamic website: offering different content for different users, these can benefit from their tailored design. Dynamic sites supply this tailored feed via advanced scripts that sit adjacent to the core site code. Scripts can add further information to websites, or pass user and browsing habits over to third-parties. 

Client Vs Server Side – And the Security Implications

The difference between client and server side scripts depends on where the code is executed. Web browsers are responsible for executing client-side scripting. Here, the source code that the site owner implements on the web server travels to the user’s computer, before being run on the browser. Client-side scripts are generally written in JavaScript, CSS and HTML5. Server-side scripting, on the other hand, is reserved for tasks that interact with a database, or other systems on the backend.

The modern software supply chain means that eCommerce and other site owners benefit from a wealth of third-party script options. Given the ROI- and efficiency-boosting capabilities that scripts bring, it comes as no surprise that many sites employ over 50 third-party or external scripts. These can provide live chat functions; traffic analytics, and payment processing pages. If these scripts are developed by a third party, your organization has little or no insight into the data that’s traveling between the customer’s browser and the script provider. Though most of these providers will simply be analyzing the performance of their scripts and user behavior, unscrupulous providers may be signing your organization – and users – up to a world of hurt. If a third-party provider is compromised, or actively malicious from the get-go, then a once-legitimate page can force a victim’s browser to download malware. Client-side languages such as HTML and JavaScript facilitate this through a weakness to Cross-Site Scripting (XSS) attacks. 

In 2018, British Airways became the unfortunate multi-million-dollar victims of a severe XSS attack. The attacker – thought to be cybercriminal group Magecart – made use of the airline’s eCommerce site, which allows customers to purchase flight tickets. With XSS, Magecart modified the site’s JavaScript files that were responsible for recording customer data. This data – and the shopping customer – would then be redirected to the attackers’ own server, cleverly named “baways”. In order to dodge any suspicion, Magecart even purchased a secure certificate for this server. A fraudulent payment page was also deployed, leading to the compromise of 420,000 customers and staff. The backlash to this breach was significant: alongside greatly tarnished customer trust, the Information Commissioner’s Office (ICO) issued its largest fine on record, of £20 million.

How Script Visibility is the Answer

The major concern with client-side security resides in the fact that there is no inherent visibility between your organization and the scripts being processed by the client’s browser. The first step toward visibility comes from the automated and real-time classification of all JavaScript services operating on your site. This is not something to be expected from a manual process, thanks to the dozens of third-party scripts littering each site. 

Once a thorough, in-depth inventory has been taken of the sites funneling data throughout your webpages, the second phase of script visibility can begin. Offered by high-class security solution providers, this solution takes a deep dive into the functions of those JavaScript services. By monitoring the behaviors of these third-party lines of code, it allows you to take back control of your site. This allows you to implement a series of checks and controls for what data can be handled by them. This means that only pre-approved services can execute. This means that any changes within the JavaScript are not automatically accepted; in fact, all new changes are blocked until you authorize it. This prevents any attacker from poisoning your site via the very scripts you rely on.

Script visibility is a challenge facing many eCommerce and online businesses today. However, thanks to cutting-edge cloud security solutions, it’s possible to protect customers whilst retaining the valuable features offered by these scripts. 

Follow Technoroll for more!

Exit mobile version