Code running on sites can be exploited to steal or leak data via client-side attacks enabled by the programming language, says Tala Security.
SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)
The interactive forms found on 92% of the analyzed websites expose data to on average 17 different domains. This data includes personally identifiable information (PII), login credentials, card transactions, and medical records. Based on Tala’s analysis, this data is exposed to 10 times more domains than intended, one reason Magecart, formjacking, and card skimming attacks are able to continue.
“Standards-based security controls are built-into all modern browsers and are designed specifically to address the vulnerabilities created by modern web architecture, including client-side attacks,” Tala said in its report. “Applied and managed correctly, these security standards, including Content Security Policy (CSP), Subresource Integrity (SRI), and others [such as HTTP Strict Transport Security (HSTS)] will mitigate client-side risk, including zero-day threats, offering a future-proof solution with no impact to website performance or user experience. Leveraging tools that complement these capabilities by monitoring and preventing PII and other data leakage provides a comprehensive defense-in-depth approach.”