The web performance and security company Cloudflare has unveiled new web security offering to prevent Magecart-style attacks. Page Shield is a client-side security product customers can use to detect attacks in end-user browsers.
Earlier this week, the company introduced Remote Browser Isolation for all as a way to mitigate client-side attacks in companies’ employee’s browsers. Page Shield is continuing Cloudflare’s push into client-side security by helping mitigate attacks aimed at your customers.
What is Magecart?
A Magecart-style attack is a type of software supply chain attack carried out in a user’s browser. Attackers target the hosts of third-party JavaScript dependencies and gain control over the source code served to browsers. When the infected code executes, it often attempts to steal sensitive data that end-users enter into the site, such as credit card details during a checkout flow.
Magecart-style attacks are challenging to detect because many application owners trust third-party JavaScript to function as intended. Generally, Magecart attacks have lasted months before detection.
How to defend against Magecart-style attacks?
Existing browser technologies such as Content Security Policy (CSP) and Subresource Integrity (SRI) provide some protection against client-side threats, but have some drawbacks.
CSP enables application owners to send an allowlist to the browser, preventing any resource outside of those listed from executing. SRI enables application owners to specify an expected file hash for JavaScript and other resources. If the fetched file doesn’t match the soup, it is blocked from executing.
“They’ve also found that JavaScript vendors will sometimes serve versioned files with different hashes to end-users due to small differences such as spacing. This could result in SRI blocking legitimate files by no fault of the application owner,” Cloudflare said.
Script Monitor is the first Page Shield feature
Script Monitor is the beginning of Cloudflare’s ambition for Page Shield. When JavaScript files attempt to execute on the page, browsers will send a report back to Cloudflare. As we are using a report-only header, there’s no requirement for application owners to maintain allowlists for relevant insights.