Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Hadar Blutrich
Hadar Blutrich
Connect Directly
E-Mail vvv

Why CSP Isn't Enough to Stop Magecart-Like Attacks

As Magecart and formjacking attacks become more sophisticated, it's essential to address not only what services may interact with users, but what that interaction looks like and how to control it.

2019 left enterprises scrambling for security measures to tackle new threats such as formjacking and targeted attacks perpetrated by the group known as Magecart as well as other attackers leveraging the same techniques. Most, if not all, of the Magecart-style attacks started from a trusted domain, a third party, or the actual website domain. The British Airways attack started from its own domain, while Delta Airlines, Best Buy, Sears, and others started from trusted third-party domains.

Traditionally, security analysts have been quick to suggest Content Security Policy (CSP) as a valid technique to thwart these attacks. In reality, there are many gaps and vulnerabilities in using CSP as an end-all solution for monitoring and protecting websites and ensuring the end user or customer is in fact also protected from these attacks.

Unfortunately, using CSP alone to combat the threat posed by Magecart leaves large gaps and blind spots in the overall health, security, and functionality of a website. 

What Is a CSP?
CSP is implemented through an additional series of headers which a web server can send to a visitor's browser to define rules about what code, images, videos, and other files can be loaded by the browser. Put simply, the browser is given a list of domains to trust and from which it may retrieve content. If the web page attempts to load content from a domain not listed within the CSP definition provided by the web server, that content will not be loaded. 

CSP can be used to effectively prevent certain types of client-side attacks. In cases where external resources can be mapped beforehand, thoroughly investigated for malicious code, and be kept up to date through future releases, CSP can be a useful component of an overall anti-Magecart strategy. 

However, there are a few issues that show the disadvantages of CSP. Here are three of its biggest problems, as well as a few tips about how to address them.

CSP does allow the owner of a website to control where third-party code can come from, but it does not provide a robust or granular way of handling what that code does once it is executing in the browser. In some ways, this is analogous to giving the key to your business to a contractor and leaving them unsupervised; you are granting them access but have no control over their behavior once they have that access.

As Magecart-like attacks become more sophisticated, it is essential to address not only what services may interact with your visitor, but what that interaction looks like and how it may be controlled. 

More Work and Management Required
Implementing CSP requires an immense amount of effort because of configuration, subject matter expertise, and ongoing maintenance. Each new third-party service introduced into the website will require analysis by developers, the creation of new CSP directives, and changes to the web server application to deploy those new directives. Furthermore, this process may need to be repeated with each new release of any particular third-party service present. Lastly, this requires on-going governance and collaboration between digital media or marketing teams and application development, creating an additional organizational burden.

Third-party services frequently change their own internal architecture for a variety of reasons: feature enhancements, optimization, market conditions, etc. Any changes implemented by the third party may require reconfiguration of the CSP rules created for that service. 

While those changes are being made, the organization using that third-party service must make a decision between disabling CSP altogether and allowing that service to run with no security in place or discontinuing use of the service until a new CSP configuration can be developed in-house. 

Action Plan
Here are three simple steps organizations can take to assess their vulnerability and protect themselves better:

  • Perform a website threat analysis to see how vulnerable you really are from malicious attacks.
  • Understand what scripts on your website are running and detect ones that shouldn’t be there or aren't doing what they are intended to do.
  • Pay attention to similar industry attacks. If you are an e-commerce company and notice many attacks are in the news, do your homework on them. Make sure you aren't using the same systems — and if you are, that you are monitoring them efficiently.

Many organizations undervalue the importance of the code they deliver to a visitor's browser. The look, feel, interactivity, color scheme, and font choice may all be heavily scrutinized to ensure optimal customer satisfaction and return on investment. But often what is shown in the browser is thought of as a presentation layer rather than a vital part of the web application itself. 

Because client-side code is, in many cases, the core of the commerce engine the organization relies upon, it is essential to protect that code not only with the lock-and-key or whitelisting approach provided by CSP, but also robust, next-generation solutions which provide granular control over third parties and truly extend website security to the client side.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."

Hadar brings more than 15 years of varied executive experience, leading teams and developing multiple out of the box solutions. Formerly Chief Solution Architect at LivePerson global sales and alliances team, Hadar's can-do approach helped to close contracts worth millions of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[email protected],
User Rank: Apprentice
8/13/2020 | 6:19:57 AM
Re: Great Points to Consider
Clearly articulated article providing useful insight for website owners in understanding the limitations of CSP in protecting against possible client-side attacks and breach of data privacy, GDPR, CCPA etc.  Thank you Hadar
User Rank: Apprentice
3/11/2020 | 12:09:44 PM
Great Points to Consider
Great piece Hadar.   Website supply change vendors are in a constant state of change and your persepctive on how these attacks can be prevented without the burden associated with CSP is very helpful.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...