JavaScript Injection Attacks: Securing Your Website From Attack

October 30, 2019 - Ensighten

Third-party vendors are a weak link in the website supply chain. Here we look at best practices for preventing your customers’ personal information from being compromised through a JavaScript injection attack.

 

Business websites today rely on an ever-expanding ecosystem of third-party suppliers to provide an exceptional user experience. Third-party JavaScript is used to implement ads, analytics, chatbots, plug-ins, trackers and social media buttons to provide functionality, boost engagement with users and help marketers collect valuable visitor data.

The average retail website now uses between 40-60 third-party technologies to create their online experiences with retailers saying they planned to add an average of 3-5 new third-party technologies to their sites throughout 2019.

However, many businesses don’t realize the security risk these third-party scripts can pose –  supply chain cyberattacks are on the rise; where criminals exploit third-party services and software to compromise their target.

 

JavaScript injects

What do all these attacks have in common? Malicious injects. Injection attacks occur when a hacker adds or injects their own instructions into an existing authorized application execution process. Commonly, attackers will breach a third-party script to access all of the sites on which it runs, all at once.

The situation is worsened as many organizations have almost no visibility into their web-facing assets and the way their users interact with them. Third-party JavaScript only executes once it is delivered into a client’s browser, making it harder for administrators to detect malicious activity. Because of this, experts say these threats have become the ‘go-to’ method for cybercriminals to target organizations and their customers’ PII.

According to a 2018 survey by the Ponemon Institute, 59 percent of companies have experienced a data breach caused by one of their vendors or third parties. Despite this, organizations have exponentially increased their dependency on third- and even fourth- and fifth-party technologies, on average sharing confidential and sensitive information with a staggering 583 outside parties.

Nevertheless, many still don’t know how to best manage these relationships to ensure their supply chain is secure. Only 34 percent keep a comprehensive inventory of their third parties, a figure that drops down to 15 percent for ‘Nth’ parties.

 

Magecart: Masters of the supply chain attack

The uptick in cybercriminals exploiting third parties correlates directly with the rise of the hacking ‘supergroup’ Magecart, which has been employing this tactic to great success in recent years. Magecart operatives will inject malicious JavaScript to steal data from online payment forms – a process known as formjacking or web skimming – typically on checkout pages. But their favoured method for gaining access to the websites is via vulnerable third parties that supply code to the sites.

Earlier this year Trend Micro researchers reported a JavaScript attack on Adverline, a French advertising company. As part of the Magecart campaign, the attack affected ecommerce sites that partner with Adverline. This chart shows how the supply chain attack worked:

 

javascript_injection

Image: Trend Micro

 

JavaScript security best practices

The Ponemon Institute recommends these best practices for ensuring that your third-party vendors aren’t leaving the backdoor open to criminals – these include conducting regular audit and assessments to evaluate security and privacy practices of third parties, and tracking all third parties that have access to sensitive data and how many of these parties are sharing this data with others. In addition, it advises involving senior leadership as high-level attention to third-party risk may increase the budget available to address these threats.

In addition to these measures, you should continually monitor and analyze all the third-party scripts running on your website and implement website security. The Ensighten’s MarSec™ solution can help keep your website secure from malicious JavaScript injection attacks:

  • Real-time website monitoring: Monitoring of all network requests coming into the website or out of the website to detect potential malicious threats
  • Automated website privacy audit and alerts: Detect risks to your organizations data privacy rules – website scanning will check for unapproved technologies that may have access to your customer data
  • Masking of sensitive data: Determine unique data patterns to prevent sensitive data being exposed within the URL and passed to unauthorized third-party technologies
  • Whitelisting and blacklisting of third-party technologies: Define permissions for approved third-party vendors you choose to allow to access data – or block from receiving any of specific types of data
  • Privacy gateways: Block unknown and unwanted website trackers, technologies and tags from firing on site and collecting sensitive customer data
  • Blocking of unauthorized network calls: Block Magecart style attacks, CSS hacks, man in browser attacks to protect end-users and stop data leakage

 

You’re only as strong as your weakest link. Speak to Ensighten about how you can prevent JavaScript injection and cyberattack to prevent data leakage.