Malicious scripts are code fragments that, among other places, can be hidden in otherwise legitimate websites, whose security has been compromised. They are perfectly baited for victims, who tend not to be suspected because they are visiting trusted website.

Any time malicious JavaScript is loaded onto a critical page. For instance a payment page, it has the potential to break havoc. The Marge cart script, specifically, can filtrate exactly the same data using method each time: when a form is submitted by a user, the information is skimmed and then sent to a server controlled by the aggressors. Some internet experts have offered quick fixes to prevent malicious JavaScript from filtration of data on payment pages, like putting the form in an iFrame or randomizing the form and input field names. While these controls may be useful for this particular morphology of attack, they do not provide a comprehensive defense for many variations of attacks in the same category.

Put simply, the solution to use to stand out of attacks is to avoid giving client applications, such as web browsers, bad code to run in the first place. You can prevent this from happening by using a number of scenario-specific strategies, such as protecting against cross-site scripting attacks, protecting against compromised code libraries, and following best practices to prevent web servers from being compromised. The idea with these strategies is to shift left, and to ensure that security controls are applied to your software from the beginning stages of the software development lifecycle (SDLC).