CSP, the Right Solution for the Web-Skimming Pandemic?

I’ve been asked a lot about Content Security Policy (CSP) as a possible solution for Magecart and other web-skimming attacks lately. Companies, mostly eCommerce sites, are actively looking for a way to handle this emerging threat. CSP, which is not a costly solution, has become an integral part of many security-toolboxes.

Idan Cohen
Nov 25, 2020 · 6 min read

But is it the solution you really need to fight Magecart?

The Third-Party App Challenge

Modern eCommerce websites and business platforms are using dozens of external third-party apps to enhance their user engagement, site performance and conversion metrics. Third-party applications for analytics, heat-maps, ads, and chats are good examples.

Image for post
Image for post

Content Security Policy (CSP)

Content Security Policy (CSP) is a computer security standard introduced in 2004 to combat malicious activity such as cross-site scripting (XSS), clickjacking, and other client-side code injections resulting from the execution of malicious code in trusted webpages.

Why is CSP Not Enough?

For starters, having a Content Security Policy is a good thing. If you have the resources to manage it, go for it. However, like any security solution, the results may vary. The best case scenario is that you may gain only partial Magecart protection, but with multiple shortcomings to deal with on a daily basis.

The Blacklist/Whitelist Approach

The first problem with CSP is that, by whitelisting a trusted domain or an app, you are whitelisting everything inside the domain, regardless of its actual behavior. That’s the main problem with the blacklist / whitelist approach. You are not approving the actions and data, you are just whitelisting everything.

Image for post
Image for post
  1. Breach the on site servers. Most of the famous Magecart attacks targeted internal unsecured servers and scripts in the organization and injected malicious code there. It’s a common practice to allow scripts to be loaded from the website internal domains and bypass the entire idea of CSP. It’s almost impossible to manage all the local scripts using CSP.
  2. Use a common global service to extract personal data. For example, this Hacker-One research by Aaron Costello shows that the Google Analytics API could be used to hack into eCommerce websites, and other online businesses. As Google Analytics can collect any data defined in the control panel, the attackers can just inject their own “Google Analytics” scripts to the website. It will be whitelisted by CSP, and the data will be leaked. Good luck with tracking all of the inputs being collected by dozens of third-parties using CSP.

CSP: A High maintenance solution

You might be thinking now — “Well, if CSP won’t help it all, why bother?” Yes, even with CSP, attackers can still leak data from internal and external breaches, or just exploit some online service. But I’m not saying it won’t help. CSP is a strong solution that may help block attacks or make attackers work harder, which is a good thing! Do it.

Image for post
Image for post

Final thoughts

CSP is still an effective weapon, but it’s hard to recommend it as a stand-alone solution. It should ideally be combined with additional measures, such as discovery tools, validation tests and strict script policy to ensure reasonable resource cost .

Reflectiz

A publication about the exciting landscape of third-party application security and beyond.

Idan Cohen

Written by

CEO and co-founder of Reflectiz, a cybersecurity company. Reflectiz is the first website-sandbox solution that mitigates the risk of third-party apps.

Reflectiz

Reflectiz

A collection of selected articles about the exciting landscape of third-party application security and the next generation of threats. This is the place to explore more about client-side risks and get the latest insights about Magecart attack, web-skimming and lots more. Read on!

Idan Cohen

Written by

CEO and co-founder of Reflectiz, a cybersecurity company. Reflectiz is the first website-sandbox solution that mitigates the risk of third-party apps.

Reflectiz

Reflectiz

A collection of selected articles about the exciting landscape of third-party application security and the next generation of threats. This is the place to explore more about client-side risks and get the latest insights about Magecart attack, web-skimming and lots more. Read on!

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store