Repositories like NPM are attractive to criminals for a variety of reasons:
- NPM, in particular, is one of the most popular repositories, with more than 1.8 million active packages.
- Repositories and package registries contain more than just code snippets. They also store the metadata for the packages and the installation configurations—that is, all attack vectors. Criminals know that it’s hard for IT to manually review every package for version control and malicious intent. That’s why automated client-side crawls for dangerous scripts are so important.
Too many web applications still operate under a massive technology debt related to legacy jQuery code. (One study from 2019 estimated that more than 70% of the websites scanned used jQuery.) In fact, jQuery has become a bit infamous for the number of vulnerabilities it contains. Most of these vulnerabilities are found in early versions of jQuery (e.g., jQuery 1.x) and relate to cross-site scripting, although other types of vulnerabilities, such as Prototype Pollution and Denial of Service, are also present.
Web applications also make use of jQuery libraries to expand capabilities, which increases the attack risk. Some jQuery-specific libraries are actually malicious versions of open-source libraries. In addition, despite repeated alerts about malicious content in a number of jQuery libraries, these libraries continue to retain and distribute malicious scripts without any plans for remediation or updates.
#3—Client-Side Open Redirect Attacks
#4—Outdated and Ineffective Client-Side Protection
Traditional perimeter security tools do not secure the client side, and tools like web application firewalls (WAFs), policy controls, and threat intelligence are only partially effective for client-side protection. In the case of WAFs, they are only designed to protect services that user-facing web applications apply to collect, store, and utilize data. WAFs are not designed to protect the browser-level user interface itself, which means they are not able to detect and protect from sophisticated skimming malware, drive-by skimming, supply chain attacks, or sideloading and chainloading attacks. Policy controls require extensive manual support, unless you have an automated solution. And, while threat intelligence may tell you the threats that exist, intelligence feeds aren’t going to remediate those threats for you.
- Source code vulnerabilities
- Reliance on client-side validation
- Unintended script execution
- Session data exposure
- Unintentional user activity
What’s the Impact of Client-Side Web App Risk on Banking & Investment?
A data breach and the loss of sensitive customer information, including bank account numbers, personally identifiable information (PII), and credentials can have a lasting impact beyond just business interruption, reputation damage, and profit loss. Primary among these concerns are regulatory and compliance penalties. Government and industry financial sector cybersecurity regulations and mandates, such as those from the Securities and Exchange Commission (SEC), the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, the General Data Protection Regulations (GDPR), and the Payment Card Industry Data Security Standards (PCI DSS), can subject businesses to fines and business restrictions if data breaches or privacy violations occur.
Client-Side Web App Protection Solutions for Banking & Investment