Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/11/2020
10:00 AM
Hadar Blutrich
Hadar Blutrich
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Why CSP Isn't Enough to Stop Magecart-Like Attacks

As Magecart and formjacking attacks become more sophisticated, it's essential to address not only what services may interact with users, but what that interaction looks like and how to control it.

2019 left enterprises scrambling for security measures to tackle new threats such as formjacking and targeted attacks perpetrated by the group known as Magecart as well as other attackers leveraging the same techniques. Most, if not all, of the Magecart-style attacks started from a trusted domain, a third party, or the actual website domain. The British Airways attack started from its own domain, while Delta Airlines, Best Buy, Sears, and others started from trusted third-party domains.

Traditionally, security analysts have been quick to suggest Content Security Policy (CSP) as a valid technique to thwart these attacks. In reality, there are many gaps and vulnerabilities in using CSP as an end-all solution for monitoring and protecting websites and ensuring the end user or customer is in fact also protected from these attacks.

Unfortunately, using CSP alone to combat the threat posed by Magecart leaves large gaps and blind spots in the overall health, security, and functionality of a website. 

What Is a CSP?
CSP is implemented through an additional series of headers which a web server can send to a visitor's browser to define rules about what code, images, videos, and other files can be loaded by the browser. Put simply, the browser is given a list of domains to trust and from which it may retrieve content. If the web page attempts to load content from a domain not listed within the CSP definition provided by the web server, that content will not be loaded. 

CSP can be used to effectively prevent certain types of client-side attacks. In cases where external resources can be mapped beforehand, thoroughly investigated for malicious code, and be kept up to date through future releases, CSP can be a useful component of an overall anti-Magecart strategy. 

However, there are a few issues that show the disadvantages of CSP. Here are three of its biggest problems, as well as a few tips about how to address them.

CSP does allow the owner of a website to control where third-party code can come from, but it does not provide a robust or granular way of handling what that code does once it is executing in the browser. In some ways, this is analogous to giving the key to your business to a contractor and leaving them unsupervised; you are granting them access but have no control over their behavior once they have that access.

As Magecart-like attacks become more sophisticated, it is essential to address not only what services may interact with your visitor, but what that interaction looks like and how it may be controlled. 

More Work and Management Required
Implementing CSP requires an immense amount of effort because of configuration, subject matter expertise, and ongoing maintenance. Each new third-party service introduced into the website will require analysis by developers, the creation of new CSP directives, and changes to the web server application to deploy those new directives. Furthermore, this process may need to be repeated with each new release of any particular third-party service present. Lastly, this requires on-going governance and collaboration between digital media or marketing teams and application development, creating an additional organizational burden.

Third-party services frequently change their own internal architecture for a variety of reasons: feature enhancements, optimization, market conditions, etc. Any changes implemented by the third party may require reconfiguration of the CSP rules created for that service. 

While those changes are being made, the organization using that third-party service must make a decision between disabling CSP altogether and allowing that service to run with no security in place or discontinuing use of the service until a new CSP configuration can be developed in-house. 

Action Plan
Here are three simple steps organizations can take to assess their vulnerability and protect themselves better:

  • Perform a website threat analysis to see how vulnerable you really are from malicious attacks.
  • Understand what scripts on your website are running and detect ones that shouldn’t be there or aren't doing what they are intended to do.
  • Pay attention to similar industry attacks. If you are an e-commerce company and notice many attacks are in the news, do your homework on them. Make sure you aren't using the same systems — and if you are, that you are monitoring them efficiently.

Many organizations undervalue the importance of the code they deliver to a visitor's browser. The look, feel, interactivity, color scheme, and font choice may all be heavily scrutinized to ensure optimal customer satisfaction and return on investment. But often what is shown in the browser is thought of as a presentation layer rather than a vital part of the web application itself. 

Because client-side code is, in many cases, the core of the commerce engine the organization relies upon, it is essential to protect that code not only with the lock-and-key or whitelisting approach provided by CSP, but also robust, next-generation solutions which provide granular control over third parties and truly extend website security to the client side.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."

Hadar brings more than 15 years of varied executive experience, leading teams and developing multiple out of the box solutions. Formerly Chief Solution Architect at LivePerson global sales and alliances team, Hadar's can-do approach helped to close contracts worth millions of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DanDinnar
50%
50%
DanDinnar,
User Rank: Author
3/22/2021 | 10:22:03 AM
Re: Great Points to Consider
The evolving threat landscape leaves no one safe. Interested to see as the world opens back up and people's guard lowers - what will the online marketplace look like.

 
Fiona@sourcedefense
100%
0%
[email protected],
User Rank: Apprentice
8/13/2020 | 6:19:57 AM
Re: Great Points to Consider
Clearly articulated article providing useful insight for website owners in understanding the limitations of CSP in protecting against possible client-side attacks and breach of data privacy, GDPR, CCPA etc.  Thank you Hadar
adamceder
100%
0%
adamceder,
User Rank: Apprentice
3/11/2020 | 12:09:44 PM
Great Points to Consider
Great piece Hadar.   Website supply change vendors are in a constant state of change and your persepctive on how these attacks can be prevented without the burden associated with CSP is very helpful.  
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32697
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
CVE-2020-19510
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
CVE-2020-19511
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
CVE-2021-21422
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
CVE-2021-0532
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177