Web App Security: Don’t Let the Code Injection Grinch Steal Holiday Joy

This holiday season more and more e-commerce site operators will be deploying web app security solutions such as content security policies (CSPs) to protect themselves and their users against cyberattacks, including cross-site scripting (XSS), formjacking and unauthorized code injection. These attacks could have a variety of negative outcomes, including credit card theft, fraud and client-side data breaches.

A CSP is an important way to defend a site against unknown scripts. These scripts can be vehicles for fraud and credit card theft. That said, CSP is only as good as the allowlist. To mess up a holiday shopping season, hackers just have to target one of the services already allowed by your CSP to execute attacks. To guard against this, e-commerce operators need another layer of runtime security such as JavaScript-based monitoring and detection that can analyze script behavior at a granular level.

What is a CSP and Why Do Sites Need Them?

A CSP is a part of the web standards that instruct browsers to enforce specified client-side policies. In a nutshell, a CSP is a set of rules defined by a website operator that block or allow specific types of requests based on the type of request or the domain associated with the request. CSPs can include blocking JavaScript code from being loaded from unfamiliar domains. This ensures stronger security for site visitors and protects them from malicious scripts. Developers use a CSP to protect their applications from shadow code injection vulnerabilities and cross-site scripting (XSS) attacks and to reduce the risk of data breaches.

Web application owners define the CSP policies for their sites that are then enforced by the browser. Applying CSP headers allows web application teams to set rules and policies to limit malicious external communication. For example, an e-commerce site might want to ensure that all images are loaded from approved domains to prevent hackers from injecting JavaScript embedded in images. To do this they might set a CSP as the following:

Content-Security-Policy: img-src: images.yourdomain.com

E-commerce web application development is dynamic with site development teams constantly adding new features and services to continue to innovate the customer experience. For this reason, even well-maintained CSPs struggle to keep up with web development efforts. And if a web security team limits app development to operate within defined CSPs, then this can put the e-commerce site at a disadvantage versus competitors who are able to make changes faster and operate in a more agile manner.

New Types of Attacks Bypassing CSPs

That said, CSPs have major limitations. Setting detailed policies quickly becomes complicated and difficult to manage. Commonly used elements of web applications such as inline queries are not covered by CSPs. Additionally, clever hackers can use commonly allowed domains as an opening to execute attacks.

For example, among all the sites using CSPs that we tracked, nearly 20,000 allow the Google Analytics domain. This communication is crucial for sharing website analytics data back to Google Analytics. Malicious hackers can wrap skimmed information in query strings and extract the information via the Google Analytics console. This method has been used by Magecart gangs to skim credit card and other personal and financial information without either users or site operators finding out. PerimeterX also recently discovered a CSP vulnerability affecting billions of Chromium-powered browsers (Google Chrome, Microsoft Edge, Opera) that allows attackers to leverage an iFrame to pass JavaScript requests explicitly restricted by a CSP policy. Google’s own security research team found that almost 76% of CSP policies used on the sites examined contained at least one unsafe domain on the allow list.

Adding Behavioral Detection to Reduce Risk

Make no mistake: Adding CSPs to your holiday shopping security mix is still good security hygiene. And websites that have well-designed CSPs are more secure than websites that lack them. That said, there are newer technologies that can augment CSPs and shore up web application defenses where CSPs fall short. These are technologies that study the behavior of web applications at runtime and look for signs of anomalous activity. These behavioral technologies use machine learning to establish patterns of normal and abnormal application behavior across billions of interactions and thousands of websites. Where CSPs might prevent unfamiliar connections or URLs from accessing site resources, behavioral analysis can detect malicious behavior even in allowed and familiar scripts. This can alert you to potential attacks on your allowed third-party scripts, as well as accidental or malicious modifications to your own web application scripts that could expose your customer data. Creating a comprehensive view of behavior can more actively and adaptively spot attacks. Equally important, a behavioral view can augment and even automate CSPs to make them work better and improve the security posture of web applications—and better stop Grinchy attacks targeting your customers during the popular holiday shopping season.

Future of Web App Security Means Combining Runtime Behavior Analysis and CSP

This holiday season, many large web applications will likely deploy CSPs, some for the first time. For e-commerce operators large and small, the best way to stop the code injection Grinch now and in the future is by combining runtime behavioral analysis with dynamic CSP policies. Even now, the most advanced behavioral technologies can inform CSPs and create dynamic rule sets for blocking behavior and resource requests as they are happening at runtime. In this manner, CSP becomes far more useful over time because it becomes a local repository of known ways to mitigate emerging threats. This also will alleviate security teams from managing ever-changing CSP policies and keeping track of what should and should not be blocked or whitelisted. Under this scenario of humans working closely with artificial intelligence systems, web applications are more secure. A key additional benefit is that the human application security teams and SREs spend less time on mundane but complex tasks around setting and managing policy. Instead, they can focus on security and site performance issues that require fine-tuning and analysis.

For business owners, applications protected from attacks by combined CSP and behavioral detection are more reliable and cost less money to operate. Most importantly, consumers get a better application experience and can be more confident that their data is safe and secure, even on Cyber Monday, the height of the holiday shopping application attack season. E-commerce operators that reduce incidents of customer-facing attacks, such as credit card thefts, can reduce churn and prevent bad media coverage resulting from attacks. The only one left unhappy is the Code Injection Grinch, who won’t be able to steal holiday joy and will instead have to be happy with a lump of virtual coal.

Avatar photo

Ameet Naik

Ameet Naik is a security evangelist at PerimeterX.

ameet-naik has 1 posts and counting.See all posts by ameet-naik