Client-side web application attacks are like the Kardashians. They’re everywhere, they’re annoying, and have the potential to cause catastrophic impacts wherever they are found. These threats represent an area of 3rd party risk for any web property conducting transactions or collecting sensitive information — with organizations across retail, healthcare, financial services, hospitality, and so on, falling victim in recent months and years. To combat these hacks and mitigate future threats, it’s critical for InfoSec teams at all levels of the business to understand why and how vulnerabilities in your 3rd party digital supply chain can lead to these client-side attacks.

How are bad actors using your digital supply chain to enable these attacks? What makes it so easy for them to do it, and for most organizations to detect at the current time? The answer is an overlooked and almost ubiquitous hole in web security — one that could allow hackers to access millions of sensitive pieces of data, leaving you with costly and reputation-damaging repercussions. Now more than ever, InfoSec teams need to prioritize finding effective solutions to protect their business and clients from client-side web application attacks and the potential fines and legal action that will likely ensue if a data breach occurs. 

To help you make sense of it all and to jumpstart your journey towards mitigating this risk, we’ve put together a list of the top three things you need to understand about client-side web application attacks, which vulnerabilities lead to them, and how prevention-first client-side web application security is the ultimate solution.

1. Your 3rd Party Digital Supply Chain is Leaving Your Business Open to Client-Side Web Application Attacks 

3rd party partners are critical to the performance of your web properties — they power analytics, drive interaction, support multimedia, drive and enable transactions, support development, etc. But they are also the key to providing access to the sensitive and privacy-protected data you are collecting and delivering to cybercriminals. These partners add a lot of value to your website but they have also become a preferred attack vector. The 3rd, 4th and nth party script they run on the client-side is effectively shadow code that you are serving to your visitors, and that code is being manipulated to enable client-side attacks. These types of attacks are so common that:

  • In 2022, we’ve already seen hundreds of attacks including a high-profile attack on Segway.
  • In November 2021, the National Cyber Security Centre (NCSC) announced that 4,151 retailers had been compromised by hackers attempting to steal customers’ payment information and other personal data via client-side vulnerabilities on checkout pages.
  • Throughout 2021 hundreds of attacks occurred on a monthly basis. 
  • And back in 2020, cybercriminals used the same techniques to compromise an estimated 2,800 retailers, injecting malicious code to steal the payment details of hundreds of thousands of customers. 

The problem here is that cybercriminals are lurking in the shadows and taking advantage of a backdoor security hole in JavaScript that most organizations fail to recognize. Regardless of the source, JavaScript gives all scripts the same level of control on the client-side. Therefore, the 3rd party code driving your site has complete access and authorship capabilities. And like a thief in the night, cybercriminals leverage this vulnerability to hijack sensitive data including customers’ personal and financial information.

For more information on how cybercriminals leverage 3rd party JavaScript to infiltrate your site, get your copy of our white paper, The Hidden Risk in Your Digital Supply Chain.

2. Form Submission Data is The Most Commonly Attacked and Accessed Data

The most common client-side web application attack occurs via form submissions. Better known as formjacking, this type of cyber attack occurs when cybercriminals compromise scripts using 3rd party applications or plugins as a way into the web session. This enables the hackers to gain control over its entry point where sensitive information is provided, like a submission form to make a purchase, for example.  

Formjacking occurs when cybercriminals inject malicious JavaScript code into a site (through the security hole discussed above) to gain read/write access to other forms and pages that utilize JavaScript on that site. Once control of the JavaScript has been seized, the page will appear to operate as normal to visitors. Thus, visitors will feel comfortable providing their personal information into a form on this page, while unknowingly, placing it directly into the hands of criminals. 

The result of these attacks typically leads to:

  • Purchases being processed by the cybercriminals using your clients’ credit card information 
  • Selling this private information to various bidders on the dark web
  • Identity theft scams

3. Focusing Only On Securing the Server-Side and Neglecting Client-Side Security is a Huge Mistake

Let’s call it like it is — server-side protections such as web application firewalls (WAF) are not enough to call your site secure. The problem is once a cybercriminal’s code is injected into a web session, it’s already surpassed the protection of server-side security. The code is dynamically downloaded from a remote server, which means that it bypasses the traditional security infrastructure, including the retailer’s firewalls and WAFs. Additionally, there is no way to use server-side security solutions to prevent criminal code from exfiltrating data or executing other corrupt activity from a customer’s browser. 

Consider this, the big corporations like TicketMaster, Segway, and British Airlines all invested heavily to protect their customer data yet still remained vulnerable to client-side attacks. And yet, all three (and many more) of these organizations have experienced client-side web application attacks very recently. Plus, since 2017, 150 million payment cards were detected as being compromised via client-side attacks, with cybercriminals attempting to monetize the cards on the dark web for an estimated total of $37 billion.

That being said, it’s time to focus on prevention-first client-side web application security.

Client-Side Web Application Security is Vital to Protecting Client Data

The most important step in securing client-side web apps and mitigating 3rd-party risk is to prevent attacks before they occur. Source Defense is designed to do just that — prevent attacks in the first place. With real-time sandbox isolation and reflection, Source Defense ensures that none of the JavaScript running on your sites, including 3rd (or 4th, 5th, 6th+), can be used as an attack vector.

Prevention-first client-side web application security protects your site from:

  • Digital skimming
  • Formjacking
  • Magecart attacks
  • And other security vulnerabilities

Final Thoughts

While client-side web app security should be every online organization’s top priority, the last thing you need is another tool to burden your team with alerts. We get it. Source Defense is easy to deploy, doesn’t burden your teams with more alerts, and is typically managed with fewer than 5 hours per month. Sounds pretty cool, huh? We think so too. But it’s not just cool, it’s essential. 

Request a demo to start protecting your site, your business, and your clients.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Scroll