Can you name the top cybersecurity risks for banking and investment? Most would probably list cyber attacks like phishing, credential theft, DDoS, and maybe ransomware. But would it surprise you to learn that there is something on the list that many in the banking and investment industry forget–and that’s client-side cybersecurity threats. You know the kind…the ones related to jQuery, cross-site scripting (XSS), JavaScript injections, formjacking, etc. Here are five notable client-side web app risks banking and financial services organizations should know about.
#1—JavaScript Supply Chain & Open-Source Repositories
Cybersecurity news increasingly features stories about JavaScript supply chain concerns. A good example of this are the recent malware issues discovered within NPM packages. NPM serves as an open-source repository for JavaScript developers to share, copy, and reuse code snippets for web application assembly. Supply chain threats occur when the repository code is corrupted, either intentionally or unintentionally. A recent study found thousands of malicious packages, of which 14% were designed to steal information like credentials, and 82% were performing reconnaissance by passively or actively gathering information for future attack targeting.
Repositories like NPM are attractive to criminals for a variety of reasons:
- NPM, in particular, is one of the most popular repositories, with more than 1.8 million active packages.
- Repositories and package registries contain more than just code snippets. They also store the metadata for the packages and the installation configurations—that is, all attack vectors. Criminals know that it’s hard for IT to manually review every package for version control and malicious intent. That’s why automated client-side crawls for dangerous scripts are so important.
#2—JavaScript Supply Chain & jQuery
Too many web applications still operate under a massive technology debt related to legacy jQuery code. (One study from 2019 estimated that more than 70% of the websites scanned used jQuery.) In fact, jQuery has become a bit infamous for the number of vulnerabilities it contains. Most of these vulnerabilities are found in early versions of jQuery (e.g., jQuery 1.x) and relate to cross-site scripting, although other types of vulnerabilities, such as Prototype Pollution and Denial of Service, are also present.
Web applications also make use of jQuery libraries to expand capabilities, which increases the attack risk. Some jQuery-specific libraries are actually malicious versions of open-source libraries. In addition, despite repeated alerts about malicious content in a number of jQuery libraries, these libraries continue to retain and distribute malicious scripts without any plans for remediation or updates.
#3—Client-Side Open Redirect Attacks
Banks and investment firms with login pages are particularly susceptible to client-side open redirect attacks because many of them use third-party providers as their main login portal. In this type of attack, hackers use client-side JavaScript to tamper with a redirect URL (a URL that redirects from the main corporate website to a banking customer login page), sending customers to a malicious site instead. This type of attack also has notable implications for both the current PCI DSS 3.x standard and the upcoming PCI DSS 4.0 compliance, since banks issuing credit cards must comply with requirements.
#4—Outdated and Ineffective Client-Side Protection
Traditional perimeter security tools do not secure the client side, and tools like web application firewalls (WAFs), policy controls, and threat intelligence are only partially effective for client-side protection. In the case of WAFs, they are only designed to protect services that user-facing web applications apply to collect, store, and utilize data. WAFs are not designed to protect the browser-level user interface itself, which means they are not able to detect and protect from sophisticated skimming malware, drive-by skimming, supply chain attacks, or sideloading and chainloading attacks. Policy controls require extensive manual support, unless you have an automated solution. And, while threat intelligence may tell you the threats that exist, intelligence feeds aren’t going to remediate those threats for you.
#5—Insecure JavaScript
JavaScript is the most commonly used web application scripting language; an estimated 98% of websites globally use JavaScript. But JavaScript was never built with security in mind. With no built-in security permissions in the JS language, it is difficult to prevent client-side attacks on JavaScript code. The most common JavaScript security vulnerabilities include:
- Source code vulnerabilities
- Reliance on client-side validation
- Unintended script execution
- Session data exposure
- Unintentional user activity
What’s the Impact of Client-Side Web App Risk on Banking & Investment?
A data breach and the loss of sensitive customer information, including bank account numbers, personally identifiable information (PII), and credentials can have a lasting impact beyond just business interruption, reputation damage, and profit loss. Primary among these concerns are regulatory and compliance penalties. Government and industry financial sector cybersecurity regulations and mandates, such as those from the Securities and Exchange Commission (SEC), the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, the General Data Protection Regulations (GDPR), and the Payment Card Industry Data Security Standards (PCI DSS), can subject businesses to fines and business restrictions if data breaches or privacy violations occur.
Client-Side Web App Protection Solutions for Banking & Investment
First and foremost, cybersecurity professionals working for financial institutions or investment companies need to have a process in place to ensure the use and maintenance of safe JavaScript repositories. Banking and investment entities also need to ensure they’re using the latest JavaScript code, and not enhancing breach risk through legacy code, like old jQuery. To identify potential risk areas, banking and investment need to perform automated client-side attack surface monitoring using a purpose-built, automated solution to crawl systems and identify malicious script activity on existing web applications.Additionally, industry security professionals should familiarize themselves with the OWASP Top Ten Client-Side Security Risks. Security professionals can use these new OWASP risks to help improve client-side web app protection.
