Protecting Websites from Magecart and Other In-Browser Threats

The Rise of Third-Party Scripts

Modern web applications have become increasingly reliant on external code, services and vendors that execute JavaScript code in the browser… often referred to as third-party scripts. As a close-to-home example shown below, Akamai executes dozens of scripts to populate our home page.  Nearly 70% of these scripts come from outside sources.


Partial Request Map View of 


We, like almost all other internet-based businesses, use third-party scripts because they enhance the web experience, are easy to add and modify, promote a consistent web experience and are pre-integrated and maintained by the third parties.  In fact, web sites today average 56% third-party scripts (Akamai has 68% third-party).

Source: Security and Frontend Performance, Challenge of Today: Rise of Third Parties, Akamai Technologies and O’Reilly Media, 2017


The Security Challenge

Magecart – a class of credit card hacker groups using new & more sophisticated attack methods has become the “poster child” of third-party scripts attacks.


Because third-party scripts come from a myriad of trusted and untrusted sources in a business’s supply chain, the attack surface for web-facing applications has become significantly larger and harder to protect.  Sites that use credit card processing are at constant risk – in fact out of the tens of thousands of sites hit with Magecart in the last few years, 1 in 5 victims are re-infected, often within months of the last attack.

Source: Sangine Security, 2018.

Unfortunately, most application protection solutions today have tried to retrofit existing techniques to prevent third-party script threats using firewall and policy controls. When rigorously applied, this approach can restrict open business practices and the advantage of third-party scripts. And, when applied to loosely, can miss a lot of attacks.

The primary way, security teams keep their scripts clean, is via constant script review and testing… which is really hard.

Because of this constant, time consuming, invisible challenge for security teams to be able to detect and mitigate third-party script attacks, it often isn’t done making injecting malicious code into web pages via third-party Javascripts one of the most popular attack methods for credit card and credential skimming today. In 2019, an average of 4800 websites were compromised from third-party injected code every month, a 78% increase over 2018.

Source: Symantec 2019 Internet Security Threat Report

Akamai Page Integrity Manager

Page Integrity Manager is designed to discover and assess the risk of new or modified JavaScript, control third-party access to sensitive forms, and enable automated mitigation. The solution fully monitors the behavior of each JavaScript workload in the session, through a series of detection layer, using machine learning model, heuristics, signatures and risk score model. This advanced approach identifies suspicious and malicious behavior, enable automated mitigation using policy-based controls, and block bad actors using Akamai threat intelligence to improve accuracy.

Prevented Threats



  • Behavioral detection technology constantly analyses the behavior of script execution, in real-user sessions, to identify suspicious, or outright malicious behavior and notify security teams with timely and actionable insights.
  • Outgoing network monitoring and script Intelligence: monitor network requests and know what real users are downloading and executing when they interact with your brand to detect potential malicious threats.
  • CVEs detection: continuously check all web resources, seen on the web application against open Common Vulnerabilities and Exposures database, to identify existing known vulnerabilities in runtime JavaScript code.
  • Edge Injection for rapid enablement: Page Integrity Manager is injected at the CDN level, easy to deploy, no code needed. 
  • Policy management: control your runtime JavaScript execution by optionally craft policies that monitor and/or restrict access to cookies, network destinations, local storage, sensitive data inputs, or DOM events per originating domains

Akamai will be launching Page Integrity Manager in 2020.

We are inviting customers to participate in a valuable beta project with a working product to help you be protected from malicious scripts.

To learn more, download our Beta Product Brief.

Join our beta program today by contacting your Akamai sales team.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Mike Kane. Read the original post at: