Script Monitor aims to skittle skimmers

UPDATED Cloudflare has launched a tool designed to help thwart Magecart-style payment card skimming attacks.

Starting in 2015, cybercriminal groups have stolen payment card details from Magento applications by infecting third-party plugins with malicious code.

Victims of Magecart-style software supply chain attacks have included Ticketmaster, Newegg, British Airways, and more.

Shields Up

In response, Cloudflare has launched Script Monitor, a tool to record a site’s JavaScript dependencies in order to pick up potentially malicious changes that can be the tell-tale signs of Magecart attacks.

Script Monitor – available as a beta version – is the first available component of Page Shield, a client-side security product from Cloudflare that debuted on Thursday (March 25).

Script Monitor analyzes legitimate third party code on a website and alerts a customer when any new code is added, or existing code is tampered with.


Catch up on the latest Magecart (card skimmer) security news


John Graham-Cumming, CTO at Cloudflare, told The Daily Swig that at least initially it will be up to customers to determine whether or not JavaScript dependencies that appear on dashboards are good or bad.

“The initial release of Page Shield will generate a dependency report available both via the dashboard and via API that will include links to the relevant JavaScript files that have been detected,” Graham-Cumming explained.

“The aim is to provide visibility into these dependencies at launch, and to augment the report with signals from Cloudflare to identify malicious vs [versus] non malicious in the next iteration.”

According to Cloudflare, existing browser technologies such as Content Security Policy (CSP) and Sub-Resource Integrity (SRI) provide some protection against client-side threats but have some drawbacks that its Script Monitor is able to overcome.

Because of Cloudflare’s unique position between application origin servers and end-users, we can modify responses before they reach end-users. In this case, we’re adding an additional Content-Security-Policy-Report-Only header to pages as they pass through our edge.

When JavaScript files attempt to execute on the page, browsers will send a report back to Cloudflare. As we are using a report-only header, there’s no requirement for application owners to maintain allowlists for relevant insights.

For each report we see, we compare the JavaScript file with the historic dependencies of that zone and check if the file is new. If it is, we fire an alert so customers can investigate and determine whether the change was expected.

Page Shield is already configurable to some extent but Cloudflare plans to further refine this aspect of the technology in order to avoid bombarding users with too many alerts.

Graham-Cumming said: “As we develop the product further, we plan to expand both the alerting capabilities and the data available in the reports to highlight malicious vs [versus] non-malicious changes according to our detection mechanisms.”


Catch up on the latest browser security news


Client-side security is only one part of web application security, according to Graham-Cumming, who added that a defence-in-depth approach is required.

“Enterprises should approach the problem holistically and consider compatibility with other must have solutions such as WAF, API protections, SSL management, and so forth,” Graham-Cumming concluded. “Cloudflare's solutions are all fully compatible with each other.”

Randeep Bahia, a security consultant involved in helping e-commerce site defend against Magecart-style attacks, told The Daily Swig that Cloudflare's technology will likely take time to mature into something effective.

"[It] looks as though the initial release is basically a report only CSP, tracking changes over time, and alerting/ notifying on new resources detected," Bahia commented on Twitter. "I can imagine that creating a lot of noise.. for users. Some of the future stuff sounds cool."

Page Shield, of which Script Shield is the first available component, is part of Cloudflare’s broader push into client-side security. Earlier this week, Cloudflare launched Remote Browser Isolation as a means for customers to mitigate client-side attacks in workers’ browsers.


This story has been updated to add comment from security consultant Randeep Bahia


RELATED Magecart attacks in 2021: Cat-and-mouse game continues between cybercrooks, researchers, law enforcement