Script Monitor aims to skittle skimmers
UPDATED Cloudflare has launched a tool designed to help thwart Magecart-style payment card skimming attacks.
Starting in 2015, cybercriminal groups have stolen payment card details from Magento applications by infecting third-party plugins with malicious code.
Victims of Magecart-style software supply chain attacks have included Ticketmaster, Newegg, British Airways, and more.
Script Monitor – available as a beta version – is the first available component of Page Shield, a client-side security product from Cloudflare that debuted on Thursday (March 25).
Script Monitor analyzes legitimate third party code on a website and alerts a customer when any new code is added, or existing code is tampered with.
“The aim is to provide visibility into these dependencies at launch, and to augment the report with signals from Cloudflare to identify malicious vs [versus] non malicious in the next iteration.”
According to Cloudflare, existing browser technologies such as Content Security Policy (CSP) and Sub-Resource Integrity (SRI) provide some protection against client-side threats but have some drawbacks that its Script Monitor is able to overcome.
Because of Cloudflare’s unique position between application origin servers and end-users, we can modify responses before they reach end-users. In this case, we’re adding an additional Content-Security-Policy-Report-Only header to pages as they pass through our edge.
Page Shield is already configurable to some extent but Cloudflare plans to further refine this aspect of the technology in order to avoid bombarding users with too many alerts.
Graham-Cumming said: “As we develop the product further, we plan to expand both the alerting capabilities and the data available in the reports to highlight malicious vs [versus] non-malicious changes according to our detection mechanisms.”
Client-side security is only one part of web application security, according to Graham-Cumming, who added that a defence-in-depth approach is required.
“Enterprises should approach the problem holistically and consider compatibility with other must have solutions such as WAF, API protections, SSL management, and so forth,” Graham-Cumming concluded. “Cloudflare's solutions are all fully compatible with each other.”
Randeep Bahia, a security consultant involved in helping e-commerce site defend against Magecart-style attacks, told The Daily Swig that Cloudflare's technology will likely take time to mature into something effective.
"[It] looks as though the initial release is basically a report only CSP, tracking changes over time, and alerting/ notifying on new resources detected," Bahia commented on Twitter. "I can imagine that creating a lot of noise.. for users. Some of the future stuff sounds cool."
Page Shield, of which Script Shield is the first available component, is part of Cloudflare’s broader push into client-side security. Earlier this week, Cloudflare launched Remote Browser Isolation as a means for customers to mitigate client-side attacks in workers’ browsers.
This story has been updated to add comment from security consultant Randeep Bahia