The client-side is the no man's land of cybersecurity, with vulnerabilities, risks, threats, and opportunities for businesses but also for malicious actors.

What happens in the users' browsers is a silent war for users’ sensitive information between hackers and businesses, especially in the payment industry for payment card data. In e-commerce and online retailers, malicious actors moved from attacking a merchant's infrastructure to skimming payment card data from the users' browsers.

Client-side security, client-side attacks, and client-side vulnerabilities highlight the potential security breaches and incidents that may occur in the users' devices rather than on the business (server side) or between the two. Most of the top US websites are susceptible to client-side attacks.

In summary, modern web applications' use of third-party code expands attack surfaces.

Web browsers are the client.

Almost 50% of the Internet traffic comes from a web browser. The web browser interprets and runs this code to deliver the experience when the user accesses a website.

A market study by Statista shows Google Chrome to be the leading browser in the browser market share, with 61.80% of all users preferring it. Safari follows with 24.36%, with Edge, Firefox, and other browsers making up the remainder of the list.

Web browsers are the client.

Almost 50% of the Internet traffic comes from a web browser. The web browser interprets and runs this code to deliver the experience when the user accesses a website.

A market study by Statista shows Google Chrome to be the leading browser in the browser market share, with 61.80% of all users preferring it. Safari follows with 24.36%, with Edge, Firefox, and other browsers making up the remainder of the list.

Client-side vulnerabilities and web page protection in JavaScript go hand-in-hand when the concern is client-side security.

JavaScript security threats and risks are real. Moreover, JavaScript may represent a security weakness for businesses when the source code comes from third-party providers, for example.

First-party JavaScript

The code an organization generates may have been secure when written. However, the code may have been tampered with after it went into production or reverse-engineered by malicious actors.

A platform is requested as prescribed by the Open Web Application Security Project (OWASP) in its recommendations for keeping applications secure to ensure code integrity.

Third-party JavaScript

JavaScript code originating from third-party sources poses a significant risk because it has all the same privileges as first-party JavaScript code.

Since there are no default security settings for third-party JavaScript, the organization that operates the website or app pulling in that code is responsible for enforcing security and continuous monitoring.

Use of Forms and Secure Form Data

More than 90% of websites use forms to collect users’ personal information. Therefore, businesses must be committed to preventing breaches.

On average, the personal information collected has a high exposure: more than 15 third-party domains, expanding the risk of unauthorized access to data and script misbehaviors.

Client-side attacks have increased in cost and scale as companies expand their investments in the end-user digital experience.

From Jscramblers’ experience, we give three fundamentals to start improvising the client-side security of your applications:

1. Identify all third-party JavaScripts running on your web applications and website;

2. Understand what these third-party JavaScripts are doing and why;

3. Define which scripts are allowed to access data in forms on payment pages and block ones that should not from doing so.
   
   

Web applications load an average of 20+ third-party scripts as a part of the digital user experience. Additionally, a recent survey showed that 99% of security professionals reported their website uses at least one third-party script. 

By not developing a client-side security strategy and approach, security teams allow third-party code libraries to run amok on their servers.

The relevance of third-party scripts for users’ digital experience creates a JavaScript supply chain, and the lack of client-side security measures generates potential vulnerabilities to a software supply chain implemented almost in real-time on user’s devices. That said:

• For businesses that accept online payments, user’s browsers may be facing a silent war. 

• Website forms are open windows for data breaches.

• It is urgent to control third-party script behaviors on the client side, including tracking pixels and chatbots. 

Based on client-side weaknesses, hackers use different client-side attack methodologies to exploit vulnerabilities on the client-side of applications, frequently in the form of data exfiltration and content injections.

Data Exfiltration

Web Skimming/ Magecart Attack

Magecart attack technique involves inserting code, usually into payment pages, where it acts as an online credit card skimmer, pulling the personal information and payment card details of anyone unlucky enough to engage with it. Magecart attacks may also involve attacking a victim’s web services supply chain.

Data Leakage

Web apps integrate a mix of third-party services to ensure personalized user experiences. However, client-side attackers can target these services and add-ons to inject malicious code and launch supply chain attacks. Data leakage can also occur from a misconfigured legitimate third party. For example, a tracking pixel can originate data leakages, jeopardizing user security and privacy.

The consequence is the access to sensitive information they can leak without the knowledge of users or companies.

Content injection attacks 

This client-side attack technique sees attackers inserting malicious content that will appear to the end-user.

Cross-Site Scripting

Cross-site scripting (XSS) is one of the most common attack vectors regularly featured on the OWASP Top 10 Vulnerabilities list.

XSS involves the injection of malicious code into website content.

• Constantly patch and update all software and applications associated with the website.
  
  

• Monitor regularly script behaviors and web pages for changes.
  
  

• Employ ongoing monitoring with a client-side security solution designed to alert to unauthorized web application script activity.
  
  

• Be cautious and demanding when selecting and implementing third- and fourth-party scripts.

In 2023, Jscrambler received the Gold Place in Client-Side Security in the Cybersecurity Excellence Awards. See why:

1. Webpage Integrity

The Webpage Integrity (WPI) solution offers functionalities to protect customers against sensitive data leaks and unwanted changes that may harm their company’s reputation and business.

Webpage Integrity has already monitored over 40.3 million user sessions and blocked over 60.2 million data access attempts by third-party vendors. The continuous monitoring and proactive blocking of JavaScript running in the browser prevent these vendors from potentially accessing sensitive credit card data.

WPI allows organizations to understand all the scripts loaded onto each of their websites and the potential risks associated.

2. Code Integrity

The Code Integrity solution offers a runtime protection solution that protects web applications against runtime attacks.

This mature solution to protect the application code combines anti-debugging and anti-tampering techniques alongside other self-defensive capabilities, providing active protection for JavaScript applications.

Combining both techniques with code polymorphic obfuscation makes it impossible for an attacker to tamper with the web app.