More and more organizations have built their public facing applications using third-party components and/or scripts due to the agility they offer in the development process. At the same time, we’ve seen a mounting number of attacks on the users of those applications.
Under the hood, this is because over time, some web application code is now loading in the user’s browser instead of on the server side. Due to this shift, users are now exposed to these third-party components, and the organizations employing them have no direct control over their security measures. This relationship amongst third-party scripts, application owners, and users is being exploited to launch supply chain attacks on the user’s device.
In this article, we’ll explore these new vulnerabilities and how organizations can address them to protect their users.
Several high profile attacks targeting the client-side of applications have caused substantial damages to organizations, starting in or around 2018. One of the most notable cases was an attack on British Airways customers, in which the attacker not only exfiltrated payment card details, but also the names and addresses of 500,000 customers. The attacker stole the information by compromising through using JavaScript.
Organizations who process customer payments are subject to Payment Card Industry Data Security Standard (PCI DSS) compliance requirements that are designed to protect and secure payment card account data.
Often, like in the case with British Airways, these attacks are performed without the knowledge of the website’s owner. To address this, the latest version of PCI DSS compliance acknowledges that the emerging threat of client-side attacks requires active protection to protect payment card holders from getting their card information stolen. PCI Data Security Standard (DSS) 4.0 introduces many new requirements that all merchants that accept card payments must meet compared to the previous version of PCI, but today we will focus on two new requirements relating to client-side security.
These two new requirements, 6.4.3 and 11.6.1, can be summarized as follows:
Requirement 6.4.3 requires merchants to track and properly inventory the scripts (e.g., JavaScripts) used on payment pages, as well as provide justification for why they are needed and whether their code behaves as intended.
To satisfy requirement 6.4.3, a Content Security Policy (CSP) header can be deployed. CSPs are a form of positive security model that can be defined to allow selected JavaScripts to run on the payment pages and deny-by-default any JavaScripts not explicitly allowed. A constantly running page monitor can help generate a CSP header, and continuously check the contents of these scripts for any malicious threats.
Requirement 11.6.1 pertains to alerting website owners of changes to the scripts (e.g., JavaScripts) used on payment pages as mentioned above, and the HTTP headers used to protect these scripts such as the CSP header. Depending on how this CSP header is deployed, reverse proxies or CDN providers can detect changes to it and notify the website owner accordingly. A combination of these solutions helps meet requirement 11.6.1.
By addressing both of these requirements, website owners can protect their users’ payment card account data from theft by threat actors, preserving trust with their users and reducing risk.
Third-party JavaScript dependencies, or supply chain attacks, are not the only client-side attack vectors. Some of the third-party dependencies can also call on their dependencies, which are sometimes called fourth-party dependencies – these can also be compromised.
The industry has taken steps to secure against supply chain attacks as much as possible in the past few years, and there is more general awareness of supply chain risk than there was 5 years ago. But, there are also other client-side risks that are less paid attention to, opening up a wider attack surface.
One risk lies in the user’s environment, the browser being used, and the operating system the browser runs in. When a user visits a website, browser extensions or any other software can directly inject JavaScripts to the website, altering the web pages. Though not all such injected JavaScripts are malicious, their effect ranges from advertisement injection to potentially stealing sensitive information.
Another example is cross-site scripting (XSS), where a malicious actor injects code into a legitimate website that will execute when the victim loads the website. From a client-side protection standpoint, such successful injections may look like JavaScripts served directly from the first-party, or the website itself where trust is assumed by default.
This is not a comprehensive list. To achieve a comprehensive level of protection, a client-side security solution should be able to monitor all scripts equally no matter their source, helping the website owner make informed decisions.
If you are a merchant accepting card payments, you have until March 31, 2025 to implement your approach to secure your client-side environment for PCI DSS v4.0. Cloudflare’s client-side security solution, Page Shield, can help ease the process of meeting these new and future requirements.
Beyond payment page protections, Cloudflare’s Page Shield also continuously monitors your entire website, checking each script against an in-house built and trained machine learning model that specializes in classifying Magecart attacks, protecting your users no matter how and where they are interacting with your website.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Learn more about how to strategically address all PCI requirements in the A strategic approach to maintaining PCI DSS 4.0 compliance whitepaper.
After reading this article you will be able to understand:
Key attack vectors targeting the client-side environment
2 new PCI compliance requirements
How to secure client-side environments and protect your customers
Related resources: