Content Security Policy (CSP): Not Exactly a Magecart Vaccine

With millions of buyers escalating their online activity ahead of Black Friday and the holiday season, it’s important for eCommerce websites and online businesses to combat Magecart and web-skimming issues in a proactive and relentless manner. Can the proven and tested Content Security Policy (CSP) get the job done? Without further adieu, let’s dive into it.

CSP: Is it enough?

DevOps Connect:DevSecOps @ RSAC 2022

Modern eCommerce websites and business platforms are using external code to cover multiple bases. This includes third-party applications for accounting, finance, payment gateways, email marketing, and content services. More often than not, there are at least 50 third-party apps in play at any given time.

Unfortunately, it’s not always a bed of roses. Besides the aforementioned advantages, eCommerce businesses have to deal with cybercrime, supply chain attacks, breaches, financial damages, accountability, and reputational damage. This is before we even start dealing with compliance and safety audits.


Magecart: Wreaking Havoc Worldwide

Magecart essentially involves hacking groups that specialize in gaining unauthorised access to websites, often by injecting malicious code into shopping pages or by exploiting code vulnerabilities. The weakest link now-a-days are third-party applications, a mainstay in the eCommerce space.  

Many Magecart attacks have been exposed in recent years. For example, over 10k online shoppers were attacked in September 2020 in what was identified as a zero-day Magento exploit and one of the largest campaigns to date (sold in the dark web). Almost 2000 eCommerce websites (checkout pages) were targeted with a payment-card skimmer. 

Did You Know? The May 2020 Paramo Magacart attack lasted for 8 months with over 3700 people’s credit card details stolen 

Magecart attacks come in two forms, with the first one targeting the main website or application by injecting malware directly into it ( this methodology is more complicated to execute and also less common). The other, which is more common, focuses on loading malicious scripts via trusted third-party vendors. 

Either way, malicious JavaScript is used to skim data from HTML forms and send that data to servers controlled by the “bad guys”.

This methodology basically creates exploits with the help of JS code to detect sensitive user activity, with shopping cart checkouts being the most desired one due to the involvement of payment details and personal information. Thousands of websites are still holding malware as we speak.

Online businesses are extremely wary of Magecart because it is just more than an online skimmer plague. These attacks are evolving at a rapid pace, an armed battle between the ever advancing malicious attacks and the defenders, trying to block them,  with CSP being just one of them. 


What is Content Security Policy (CSP)?

Content Security Policy (CSP) is a computer security standard introduced in 2004 to combat malicious activity such as cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in trusted webpages (e.g – your checkout page).

Putting CSP into action requires the addition of a Content-Security-Policy HTTP header into the webpage and assigning the required values to fully control the resources your user can load. These elements can be pictures, videos, and forms. By doing so, it makes it harder to pull off Magecart attacks. There are three techniques to enforce CSP delivery:


  • Content-Security-Policy – This is the most commonly used name recommended by Chrome, Safari and other WebKit-based browsers.
  • <meta> – These elements have to be placed within documents as early as possible, with http-equiv attribute set to Content-Security-Policy
  • Content-Security-Policy-Report-Only – This is a HTTP response header field that devs use to monitor CSP behaviour instead of enforcing it

Furthermore, you are required to write a well planned policy to make your CSP work effectively. These are a predetermined set of directives that determine what resources (fonts, images, multimedia and most importantly scripts) will be needed and used for a safe and secure browsing environment. This mandatory requirement is also a weakness, making CSP a true double-edged sword. 

Did You Know? Ticketmaster was recently fined 1.25 million GBP due to a third-party breach all the way back in 2018


How Does CSP Work? 

CSP basically allows you to define a variety of content restrictions using directives specified in HTTP response headers. You can also provide specific page level directives with HTML meta tags.

For example, to add CSP headers to an Apache web server, you will need:

Header set Content-Security-Policy "default-src 'self';"

On a similar note, you also have the option of providing directives at page level with HTML meta tags if needed:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

CSP directives are basically names with values and end with a semicolon. The * wildcard matches whole values, schemes, subdomains, and ports. You can access the entire list of official W3C recommendations to learn more. It’s also highly recommended to check out the OWASP CSP Cheatsheet

CSP has fought many online battles since its inception back in 2004, when it was referred to as Content Restrictions. Unfortunately, cybercrime is starting to outgrow this “veteran warrior”. As we’ll see in the next section, Magecart and other web-skimming attacks are gaining the upper hand.


Why is CSP Not Enough?

Implementing and having a Content Security Policy is a good thing. However, like any security solution, the results may vary. The best case scenario is that you may gain partial protection from Magecart, but there are also many shortcomings you will have to deal with on a daily basis.

The main problem with CSP is that, by whitelisting a trusted domain or an app, you are whitelisting everything inside it, regardless of its actual behavior. For example, loading a malicious script from a trusted domain, will work.

CSP Attacks

The evidence is piling up. There are multiple POCs that have exposed CSP flaws. There was a huge Chromium-based browser CSP vulnerability, followed by another research that showed that the Google Analytics API could be used to hack into eCommerce websites, retailers, and other online businesses. 

This leading company’s research showed another worrying statistic. Only 210,000 of the top 3 million domains currently use CSP (accurate March 2020). For example, let’s just take a look at the CSP bypass that was executed by targeting the PayPal app, which was inserting a GET parameter into it’s CSP report-uri directive. Manipulating this token parameter made it possible to inject malicious directives into this Content Security Policy.  During that attack, the site whitelisted PayPal as a legitimate domain. But the PayPal configuration issue allowed the attacker to bypass CSP.

Did You Know? As per a recent Google research, around 25% of XSS bugs can be exploited even with a strict CSP in place

CSP is still an effective weapon, but it’s hard to recommend it as a stand-alone solution. It should ideally be combined with additional measures. While there are many CSP bypass examples, the main challenge of CSP is the need to manage it for your entire third-party applications library, on an ongoing basis, all while whitelisting the domain and not it’s behavior.


CSP and Third-Party Monitoring: A Potent Combo

The aforementioned examples clearly showcase CSPs shortcomings as a stand-alone solution. With Magecart activity escalating ahead of Cyber Monday and Black Friday, it’s extremely important to understand that CSP is leaving many holes in your defenses. This is a quick rundown of the reasons.

  • No Protection From Compromised Trusted Parties – Once a trusted/whitelisted service is compromised, you are exposed, be it open-services, API endpoints and known vendors.
  • High Maintenance – This solution requires hands on management and maintenance to achieve good/optimal results.
  • False Positives Issues – Configuring this solution is tricky. If configured too tightly, it can produce mind-boggling numbers of False Positives, rendering it useless in big setups with thousands of website visitors..

Furthermore, CSPs are partially effective at best and usually a nuisance due to mismanagement, lack of sync between security and developers, or lack of compatibility with multiple browsers. This is where real-time tracking and monitoring of your third-party ecosystem comes into play.

By implementing a comprehensive monitoring solution which is plug-and-play in nature, you can enjoy multiple benefits. Top ones include:

  • Enhanced Visibility – By managing all your third-party inventory via one centralized dashboard, you can be sure about what software you are allowing into your ecosystem. This is important in Covid-19 times where multiple stakeholders are working from different locations simultaneously. 
  • Monitoring and Tracking Capabilities – Once you have gained visibility into your ecosystem, you can also learn about the behaviour of the external applications you may be using. This includes performance monitoring and other technical issues that may hamper your bottom line.
  • Actionable Insights – This enhanced transparency allows you to gain real time information about what is going on and respond accordingly. Beside being able to monitor everything on the go, you can set up personified alerts as per your requirements and needs.  

With the typical eCommerce business being required to be able to scale up on demand, online risk mitigation solutions are proving to be the most effective in combating Magecart and web-skimming. 

Another benefit of having such a solution is the reduced cross-department friction within your company, which is a big problem because of the remote working patterns caused by the ongoing Covid-19 pandemic. Advanced reporting helps improve cross-department communication.

This is not to say that CSP and other security solutions are not required anymore. Only a proactive and collective effort can help fight off cybercrime.


How to avoid MAGECART attacks?

Get effective protection against Magecart and attacks other eSkimming threats with our user-friendly solution 


The post Content Security Policy (CSP): Not Exactly a Magecart Vaccine appeared first on Reflectiz.

*** This is a Security Bloggers Network syndicated blog from Blog – Reflectiz authored by Reflectiz Team. Read the original post at: