Application Security

Top 3 things to know about client-side web application attacks

Top 3 things to know about client-side web application attacks
Written by ga_dahmani
Top 3 things to know about client-side web application attacks

Client-side web application attacks are like the Kardashians. They are everywhere, they are annoying and they have the potential to cause catastrophic impacts wherever they are found. These threats represent a third-party risk area for any web property that transacts or collects sensitive information, with organizations in retail, healthcare, financial services, hospitality, etc., having fallen victim in recent months and years. To combat these attacks and mitigate future threats, it is critical that InfoSec teams at all levels of the business understand why and how vulnerabilities in their third-party digital supply chain can lead to these client-side attacks.

How are bad actors using your digital supply chain to enable these attacks? What makes it so easy for them to do it, and what makes it so easy for most organizations to spot it at the present time? The answer is an overlooked and nearly ubiquitous hole in web security, one that could allow hackers to access millions of sensitive data, leaving you with costly and reputation-damaging repercussions. Now more than ever, InfoSec teams must prioritize finding effective solutions to protect their businesses and customers from client-side web application attacks and the potential fines and legal action likely to follow if a data breach occurs.

To help you understand it all and jumpstart your journey toward mitigating this risk, we’ve put together a list of the top three things you need to understand about client-side web application attacks, what vulnerabilities drive them, and how. Client-side web application security that prioritizes prevention is the ultimate solution.

1. Your third-party digital supply chain is leaving your business open to client-side web application attacks

third party partners they are critical to the performance of your web properties: they drive analytics, they drive engagement, they support multimedia, they drive and enable transactions, they support development, and so on. But they’re also the key to providing access to the sensitive and privacy-protected data you’re collecting and handing over to cybercriminals. These partners add a lot of value to your website, but they have also become a preferred attack vector. The 3rd, 4th, and nth script that they execute on the client side is effectively shadow code that you are serving up to your visitors, and that code is being manipulated to enable client-side attacks. These types of attacks are so common that:

  • In 2022, we have already seen hundreds of attacks, including a high-profile attack on segways.
  • In November 2021, the National Cyber ​​Security Center (NCSC) announced that 4,151 retailers had been compromised by hackers Attempt to steal customers’ payment information and other personal data through client-side vulnerabilities on payment pages.
  • throughout 2021 hundreds of attacks It happened monthly.
  • And in 2020, cybercriminals used the same techniques to compromise approximately 2,800 retailers, injecting malicious code to steal the payment details of hundreds of thousands of customers.

The problem here is that cybercriminals lurk in the shadows and take advantage of a backdoor security hole in JavaScript that most organizations don’t recognize. Regardless of the source, JavaScript gives all scripts the same level of control on the client side. Therefore, the third-party code that drives your site has full access and authoring capabilities. And like a thief in the night, cybercriminals take advantage of this vulnerability to hijack sensitive data, including customers’ personal and financial information.

To learn more about how cybercriminals leverage third-party JavaScript to infiltrate your site, get your copy of our white paper, The hidden risk in your digital supply chain.

2. Form submission data is the most commonly attacked and accessed data

The most common client-side web application attack occurs through form submissions. better known as form theft, this type of cyber attack occurs when cybercriminals compromise scripts that use third-party applications or plugins as a way to enter the web session. This allows hackers to gain control over your entry point where sensitive information is provided, such as a submission form to make a purchase, for example.

Formjacking occurs when cybercriminals inject malicious javascript code on a site (via the security hole mentioned above) to gain read/write access to other forms and pages using JavaScript on that site. Once control of the JavaScript has been taken, the page Appear to operate normally to visitors. Therefore, visitors will feel comfortable providing their personal information in a form on this page, while unknowingly putting it directly into the hands of criminals.

The result of these attacks usually leads to:

  • Purchases processed by cybercriminals using your customers’ credit card information
  • Sell ​​this private information to various bidders on the dark web
  • Identity theft scams

3. Focusing only on server-side protection and neglecting client-side security is a big mistake

Let’s call it what it is: server-side protections like web application firewall (WAF) they are not enough to call your site safe. The problem is that once a cybercriminal’s code is injected into a web session, it has already bypassed server-side security protection. The code is dynamically downloaded from a remote server, which means it bypasses traditional security infrastructure, including retailer firewalls and WAFs. Furthermore, there is no way to use server-side security solutions to prevent criminal code from extracting data or executing other corrupt activities from a client’s browser.

Consider this, big corporations like TicketMaster, segways, and British Airlines invested heavily to protect their customers’ data, but still remained vulnerable to client-side attacks. And yet, all three (and many more) of these organizations have experienced client-side web application attacks very recently. Plus, since 2017, 150 million payment cards were detected as compromised through client-side attackswith cybercriminals trying to monetize the cards on the dark web for an estimated $37 billion.

With that said, it’s time to focus on client-side web application security that prioritizes prevention.

Client-side web application security is vital to protecting customer data

The most important step in protecting client-side web applications and mitigating third-party risk is preventing attacks before they happen. Source Defense is designed to do just that: prevent attacks in the first place. with real time litter box insulation and reflection, Source Defense ensures that none of the JavaScript running on your sites, including the 3rd (or 4th, 5th, 6th or higher), can be used as an attack vector.

Prevention-first client-side web application security protects your site from:

  • digital skimming
  • abduction of forms
  • magic chariot attacks
  • And other security vulnerabilities

final thoughts

While client-side web application security should be the top priority of every online organization, the last thing you need is yet another tool to burden your team with alerts. We understand. Source Defense is easy to deploy, doesn’t burden your teams with more alerts, and is typically managed in less than 5 hours per month. Sounds great, huh? We think so too. But it’s not just great, it’s essential.

Request a demo to start protecting your site, your business and your customers.

The charge Top 3 things to know about client-side web application attacks first appeared in source defense.

*** This is a syndicated Security Bloggers Network blog from Blog – Defense of the source written by [email protected]. Read the original post at:

About the author


Leave a Comment