Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Hadar Blutrich
Hadar Blutrich
Connect Directly
E-Mail vvv

Why CSP Isn't Enough to Stop Magecart-Like Attacks

As Magecart and formjacking attacks become more sophisticated, it's essential to address not only what services may interact with users, but what that interaction looks like and how to control it.

2019 left enterprises scrambling for security measures to tackle new threats such as formjacking and targeted attacks perpetrated by the group known as Magecart as well as other attackers leveraging the same techniques. Most, if not all, of the Magecart-style attacks started from a trusted domain, a third party, or the actual website domain. The British Airways attack started from its own domain, while Delta Airlines, Best Buy, Sears, and others started from trusted third-party domains.

Traditionally, security analysts have been quick to suggest Content Security Policy (CSP) as a valid technique to thwart these attacks. In reality, there are many gaps and vulnerabilities in using CSP as an end-all solution for monitoring and protecting websites and ensuring the end user or customer is in fact also protected from these attacks.

Unfortunately, using CSP alone to combat the threat posed by Magecart leaves large gaps and blind spots in the overall health, security, and functionality of a website. 

What Is a CSP?
CSP is implemented through an additional series of headers which a web server can send to a visitor's browser to define rules about what code, images, videos, and other files can be loaded by the browser. Put simply, the browser is given a list of domains to trust and from which it may retrieve content. If the web page attempts to load content from a domain not listed within the CSP definition provided by the web server, that content will not be loaded. 

CSP can be used to effectively prevent certain types of client-side attacks. In cases where external resources can be mapped beforehand, thoroughly investigated for malicious code, and be kept up to date through future releases, CSP can be a useful component of an overall anti-Magecart strategy. 

However, there are a few issues that show the disadvantages of CSP. Here are three of its biggest problems, as well as a few tips about how to address them.

CSP does allow the owner of a website to control where third-party code can come from, but it does not provide a robust or granular way of handling what that code does once it is executing in the browser. In some ways, this is analogous to giving the key to your business to a contractor and leaving them unsupervised; you are granting them access but have no control over their behavior once they have that access.

As Magecart-like attacks become more sophisticated, it is essential to address not only what services may interact with your visitor, but what that interaction looks like and how it may be controlled. 

More Work and Management Required
Implementing CSP requires an immense amount of effort because of configuration, subject matter expertise, and ongoing maintenance. Each new third-party service introduced into the website will require analysis by developers, the creation of new CSP directives, and changes to the web server application to deploy those new directives. Furthermore, this process may need to be repeated with each new release of any particular third-party service present. Lastly, this requires on-going governance and collaboration between digital media or marketing teams and application development, creating an additional organizational burden.

Third-party services frequently change their own internal architecture for a variety of reasons: feature enhancements, optimization, market conditions, etc. Any changes implemented by the third party may require reconfiguration of the CSP rules created for that service. 

While those changes are being made, the organization using that third-party service must make a decision between disabling CSP altogether and allowing that service to run with no security in place or discontinuing use of the service until a new CSP configuration can be developed in-house. 

Action Plan
Here are three simple steps organizations can take to assess their vulnerability and protect themselves better:

  • Perform a website threat analysis to see how vulnerable you really are from malicious attacks.
  • Understand what scripts on your website are running and detect ones that shouldn’t be there or aren't doing what they are intended to do.
  • Pay attention to similar industry attacks. If you are an e-commerce company and notice many attacks are in the news, do your homework on them. Make sure you aren't using the same systems — and if you are, that you are monitoring them efficiently.

Many organizations undervalue the importance of the code they deliver to a visitor's browser. The look, feel, interactivity, color scheme, and font choice may all be heavily scrutinized to ensure optimal customer satisfaction and return on investment. But often what is shown in the browser is thought of as a presentation layer rather than a vital part of the web application itself. 

Because client-side code is, in many cases, the core of the commerce engine the organization relies upon, it is essential to protect that code not only with the lock-and-key or whitelisting approach provided by CSP, but also robust, next-generation solutions which provide granular control over third parties and truly extend website security to the client side.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."

Hadar brings more than 15 years of varied executive experience, leading teams and developing multiple out of the box solutions. Formerly Chief Solution Architect at LivePerson global sales and alliances team, Hadar's can-do approach helped to close contracts worth millions of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/22/2021 | 10:22:03 AM
Re: Great Points to Consider
The evolving threat landscape leaves no one safe. Interested to see as the world opens back up and people's guard lowers - what will the online marketplace look like.

[email protected],
User Rank: Apprentice
8/13/2020 | 6:19:57 AM
Re: Great Points to Consider
Clearly articulated article providing useful insight for website owners in understanding the limitations of CSP in protecting against possible client-side attacks and breach of data privacy, GDPR, CCPA etc.  Thank you Hadar
User Rank: Apprentice
3/11/2020 | 12:09:44 PM
Great Points to Consider
Great piece Hadar.   Website supply change vendors are in a constant state of change and your persepctive on how these attacks can be prevented without the burden associated with CSP is very helpful.  
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue