Walk around on the client side: the importance of front-end JavaScript security assessments


As e-skimming, Magecart, and other types of front-end attacks increase in frequency and severity, organizations must find ways to protect web applications and front-end websites (i.e. side customer). JavaScript, which drives the basic functionality of around 98% of the world’s websites, contains bugs and vulnerabilities. These JavaScript vulnerabilities represent a significant portion of the most common attack paths.

To protect their customers from client-side attacks, companies should consider applying traditional testing methodologies to their front-end, in addition to their back-end.

Penetration tests

A penetration test, more commonly known as a “pentest”, is a deliberate cybersecurity attack, carried out with the authorization of the organization by professional cybersecurity experts. It is designed to uncover weaknesses and vulnerabilities in an organization’s security controls. Companies either use internal red teams to carry out these attacks or hire an external company that specializes in penetration testing. During the pentest, red teams attempt to enumerate and infiltrate their target’s digital infrastructure, networks, and endpoints. Once vulnerabilities are identified, pentesters attempt to mimic threat actors’ tactics, techniques, and procedures (TTPs) to deepen their target’s systems and networks. The end result of the pentest is a report that outlines existing security gaps and what needs to be fixed to protect the business from cyber threats.

Vulnerability assessments

A vulnerability assessment is a systematic analysis and examination of security weaknesses in a technology, system, application or network. During these assessments, a security analyst will determine if the system is likely to have any known or exploitable vulnerabilities, assign severity levels to them, recommend remediation or mitigation, and prioritize the order in which remediation should take place. depending on the level of severity.

Security assessments

Unlike penetration testing and vulnerability assessments, which focus on tools and technologies, security assessments look at processes, governance, and compliance to determine how well your tools, applications, websites, and technologies are protected against cyber risks and threats. The end result of a security assessment should be a thorough understanding of your organization’s security vulnerabilities, aligned with both your overall security program and a governance model (eg, NIST). The nuances of the report should also provide a level of risk of your organization in its current state. Generally speaking, security assessments are a central part of any organization’s risk management process.

A critical need for client-side security assessments

Client-side security assessments are actually quite rare at this point. Unfortunately, this lack of client-side assessments poses a huge problem given the dramatic increase in client-side attacks such as cross-site scripting, formjacking, and Magecart. With the increased use of front-end frameworks, libraries, and third-party tools, it’s time for organizations to expand the scope of traditional security assessments and testing to include the client-side attack surface of their websites and web apps.

Client-side security assessments are cumbersome if done manually, and automation can help. There are five categories of questions a security consultant or analyst should answer to uncover potential client-side issues and associated risks:

1. What client-side assets do we have?

If you don’t know what you have, you can’t protect it. The first step in a security assessment is to inventory all web pages, web applications, landing pages, forms, payment forms, marketing tracking, and other client-side assets that could pose a risk to the business in the event of a corruption.

2. What technologies do we use? What proprietary and third-party code do we use? What does our JavaScript supply chain look like?

It’s essential. Today, websites are assembled in real time using a variety of protocols, connections, and data sources. Businesses should have an inventory of all web page and web application components. Evaluators should have a complete picture of all scripts, where they are loaded, how they are loaded, and how they interact with other client-side JavaScript code. The easiest way for hackers to steal protected data is to corrupt third-party JavaScript. Without ongoing client-side testing, you may never know that a malicious actor has breached your JavaScript supply chain and is stealing customer information.

3. Who has access to our real-time data?

Once you have a list of your assets and associated technologies, it’s time to start researching who has access to them and what type of access they have. Are third parties reading all of your customer data with every form submission? How do you protect your user’s privacy? Being able to shape client-side data access credentials is the next big step in protection.

4. Are we in the middle of an attack right now?

Once you have a complete inventory of your client-side pages, applications, and the code you use, it’s time to see if your client-side web assets are just doing what you want them to do…um…c ie, is the data you collect only collected by you or is it sent to the command and control domain of a threat actor in Uzbekistan? You want to watch your keyloggers, your WebSockets, any abnormal behavior and if there is data transfer to unauthorized countries or servers.

5. What needs to be fixed now?

Once the security assessor has inventoried your client-side assets and the code used to create and maintain them, and all potential breaches and exploited vulnerabilities have been discovered, the assessor should provide a detailed report on this what the organization’s security team must do to secure business. Client-side security assessments should indicate:

Gaps in security configuration
  • Current Access Controls: This identifies who currently has access to what and how to limit access to ensure that only authorized people can modify or use client-side assets.
  • Access too permissive: Clear recommendations on how to deploy a Zero Trust approach for web applications and client-side websites to reduce the risk of tampering. This helps ensure who has full access, read-only access, and data transfer access.
Malicious items
  • Malicious host scripts: Are malicious hosts actively stealing data? What can be done to solve this problem?
  • Malicious scripts: Is the company currently using proprietary or third-party script that has been corrupted and exfiltrates data or modifies the web page or application in any way? What can be done to solve this problem?
  • Vulnerabilities exploited: Are there any known vulnerabilities being exploited? Is there a patch available to fix these vulnerabilities and which are the most critical to fix?
  • Other vulnerabilities: Are there any known vulnerabilities that we can proactively patch to reduce client-side cyber risk? Is a fix available and how critical is it to fix the vulnerability now?

What are the limitations of pentesting, vulnerability assessment, and security assessment?

Typically, pentests, vulnerability assessments, and security assessments are done as short-term projects that are repeated on a quarterly or yearly basis. Good pentesters are hard to find and they demand a high salary due to the specialized skills and experience they possess. Many organizations hire a managed security service provider (MSSP) to perform the pentest.

Suppose a penetration test or assessment is 100% accurate and provides actionable results. It’s awesome. However, the results are a snapshot in time, meaning hackers have the flexibility to execute attacks between quarterly or annual assessments. Additionally, hackers are always on the lookout for new vulnerabilities to exploit and will likely be aware of new exploits before a pentest is complete. Relying on quarterly or annual vulnerability assessments is a good start, but businesses are still exposed to vulnerabilities. Ultimately, threats and threat actors can move much faster than any business.

Penetration tests and assessments also have limitations because they:

  • Consume a lot of time and resources.
  • Are limited in their scope to certain applications, technologies and networks.
  • Require a qualified consultant, tester or employee with the know-how to succeed.
  • Rely on the use of specialized tools and technologies to uncover vulnerabilities and threats.

Are pentests, vulnerability assessments, and security assessments right for me?

Yes! Yes they are! They are a necessary aspect of any cybersecurity program. But keep in mind that they are not continuous. The information gathered during a pentest or assessment only represents the issues that exist at that time, and there can be a long list of new vulnerabilities and issues that a different pentest or assessment will uncover in a week or a month. Threat actors are moving faster than any government or company. To stay ahead of the threat, you need more than a periodic pentest or vulnerability assessment.

Learn more about JavaScript security

Learn about JavaScript front-end assessments and how to improve client-side JavaScript security in our new eBook The Ultimate Guide to Client-Side Security.

You can download the e-book for free here.

If you’re running a website to support your end users as part of your business model, client-side security is crucial. Download this free e-book to better understand the client side and how you can protect your business and customers from web skimming, cross-site scripting, formjacking and the host of other cyber threats attacking the front-end of your web applications . .


About Author

Comments are closed.