Are the JavaScript vulnerabilities on your website keeping you awake?

It isn’t that we want to keep you from getting your rest. But with all the havoc that hackers could be wrecking on your site, exploiting your first and 3rd party JavaScripts, we don’t want you to be lulled into a false sense of security, either.

Here’s a look at four things about client-side web attacks that should keep you up at night – and give you reason enough to put web app client-side protection on your immediate priority list.

Thing 1: Magecart attacks

First of all, what is a Magecart attack?

“Magecart” describes hackers or groups of hackers who use JavaScript malware to steal information that people enter on your website. Magecart attacks are a worry for websites in industries like retail, financial services and hospitality, where the target is credit card and payment information. They’re also a worry on health care-related websites, where patients enter information about their medical history.

A Magecart attacker may gain direct, “first-party” access to web code on your server side, then wait for your users and customers to enter information, for example, through a webform. Or, on the client side, it may compromise one of the many sources from which your site loads third-party JavaScript. Those sources are your legitimate partners in areas like social media and advertising. But if their servers are compromised, then all of their JavaScript subscribers ­­— like you — point users toward Magecart malware.

Magecart attackers are not thought to be a vast, criminal cabal united under some ideology or agreement, but more likely small, competing groups with a similar technique. Their attacks are persistent and usually well-hidden: the British Airways exploit we described recently consisted of only 22 lines, buried under thousands of lines of normal code.

The next three things that should keep you up at night are types of Magecart attacks.

Thing 2: Formjacking

Formjacking is hijacking and modifying a webform or a part of a webform. A common use is to capture your users’ personally identifiable information (PII) without drawing attention, and the goal of formjacking is to stay active as long as possible.

Formjacking changes the way JavaScript is loaded in the client’s browser. It exploits either first-party code (if the attacker has compromised your server) or third-party code on the client side that runs when the user loads the page with your webform. The malicious code collects and transfers the information to a server under the attackers’ control.

It’s rare that users have any idea that they have been formjacked. As far as they can see, the page is behaving normally. For that matter, you as the site owner can go for months without realizing that user information is being stolen.

Thing 3: Digital skimming

Digital skimming, as the name suggests, is the act of intercepting and stealing information when the user enters it to a compromised website. It takes its name from physical skimming exploits in which criminals place an illegitimate reader over the legitimate one on a gas pump or ATM.

Instead of a physical reader, a digital skimming exploit lays a transparent input mask over the real webform on your website. Again, your users see nothing unusual in the look and feel of the page, so they enter their information in good faith. The JavaScript that mimics your webform and captures the data is not easy to find. It usually lives in the code of a compromised server or in the client-side code that runs in the browser.

Thing 4: Credential harvesting

Credential harvesting is the practice of stealing user login information. It uses JavaScript to skim forms, fields, inputs or text areas for sensitive information with the goal of using the credentials to log on to other sensitive sites.

Suppose that you log on to the online banking portal where you manage your checking account. If attackers harvested your logon credentials (username, password, secret answer) from that site, they would likely use them to try to log on to the sites of other financial institutions.

It’s a common occurrence for unauthorized parties to obtain login credentials from an unknown source and attempt to access customer accounts. It’s also painful, both for your customers and your reputation. According to Verizon’s 2019 data breach investigations, 29% of breaches involved stolen credentials.


As galling as Magecart attacks may be, we have to point out that these problems are not being fully addressed in the world of website security.

About 98% of websites use JavaScript and are vulnerable targets for these Magecart attacks. The smart way to protect your website – and your users’ information – without incurring added burden for your teams – is to use JavaScript sandboxing from Source Defense.

Find out more about the Source Defense approach to web app client-side protection of your customers’ sensitive data.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.