Take a walk on the client side: The importance of front-end JavaScript security assessments

As e-skimming, Magecart, and other types of front-end attacks grow in frequency and severity, businesses are faced with finding ways to protect the front-end (i.e., client side) web applications and websites. JavaScript—which drives core functionality in approximately 98% of the global websites—contains bugs and vulnerabilities. These JavaScript vulnerabilities represent a significant portion of the most common attack paths.

To protect their customers from client-side attacks, businesses need to consider the application of traditional testing methodologies to their front end, in addition to their back end.

Penetration testing

A penetration test, more commonly referred to as a “pentest,” is a deliberate cybersecurity attack, conducted with permission from the organization by professional cybersecurity experts. It is designed to uncover weaknesses and vulnerabilities across an organization’s security controls. Companies either use internal red teams to carry out these attacks or hire an external company that specializes in penetration testing. During the pentest, red teams attempt to enumerate and infiltrate their target’s digital infrastructure, networks, and endpoints. Once vulnerabilities have been identified, pentesters try to mimic threat actor tactics, techniques, and procedures (TTPs) to forage deeper into their target’s systems and networks. The final output of the pentest is a report that outlines what security gaps exist and what needs to be addressed to secure the business from cyber threats.

Vulnerability assessments

A vulnerability assessment is a systematic analysis and review of security weaknesses in a technology, system, application, or network. During these assessments a security analyst will determine if the system is susceptible to any known or exploitable vulnerabilities, assign severity levels to them, recommend remediation or mitigation, and prioritize the order in which remediation must occur based on the severity level.

Security assessments

Unlike pentesting and vulnerability assessments, which focus on the tools and technologies, security assessments examine process, governance, and compliance to determine the extent to which your tools, applications, websites, and technologies are secure from cyber risks and threats. The end result of a security assessment should be deep insights into the security gaps of your organization, aligned to both your overall security program and a governance model (e.g., NIST). The undertones of the report should also provide a risk level of your organization in its current state. Generally speaking, security assessments are a core piece of any organization’s risk management process.

A critical need for client-side security assessments

Client-side security assessments are actually quite uncommon at this point in time. Unfortunately, this lack of client-side assessments presents a huge problem given the dramatic rise in client-side attacks like cross-site scripting, formjacking, and Magecart. With the increased use of front-end frameworks, libraries, and third-party tools, it’s time for organizations to expand the scope of traditional security assessments and testing to include the client-side attack surface of their websites and web applications.

Client-side security assessments are tedious if done manually and automation can help. There are five categories of questions a consultant or security analyst needs to answer to uncover potential client-side issues and their associated risks:

1. What client-side assets do we have?

If you don’t know what you have, you can’t protect it. The first step in a security assessment is to inventory all web pages, web applications, landing pages, forms, payment forms, marketing trackers, and other client-side assets that might pose a risk to the business if corrupted.

2. What technologies do we use? What first- and third-party code are we using? What does our JavaScript supply chain look like?

This is critical. Websites today are assembled in real time using a variety of protocols, connections, and data sources. Businesses must have an inventory of all webpage and web application components. Assessors need to have a full picture of all the scripts, where they are loaded, how they are loaded, and how they interact with other JavaScript code across the client side. The easiest way for threat actors to steal protected data is by corrupting third-party JavaScript. Without continuous client-side testing, you might never know a threat actor has breached your JavaScript supply chain and is stealing customer information.

3. Who has access to our data in real time?

Once you have a list of your assets and the associated technologies, it’s time to start looking into who has access to them and what type of access they have. Are third parties reading all of your customer data during every form submission? How are you protecting your user’s privacy? Being able to shape data access insights across the client side is the next big step in protection.

4. Are we in the midst of an attack right now?

Once you have a full inventory of your client-side pages, applications, and the code you use, it’s time to see if your client-side web assets are only doing what you want them to be doing… ahem…that is, is the data you are collecting only being collected by you or is it being sent to a threat actor’s command and control domain in Uzbekistan? You want to look at your keyloggers, your WebSockets, any anomalous behaviors, and if there is any data transfer to unauthorized countries or servers.

5. What needs to be fixed now?

Once the security assessor has inventoried your client-side assets and the code used to build and maintain them, and any potential breaches and exploited vulnerabilities have been uncovered, the assessor should provide a detailed report on what the organization’s security team should do to secure the business. Client-side security assessments should point out:

Security configuration gaps

• Current access controls: This identifies who currently has access to what and how to limit access to ensure only authorized individuals can modify or utilize client-side assets.
• Overly permissive access: Clear recommendations on how to deploy a Zero Trust approach to client-side web applications and websites to reduce the risk of tampering. This helps ensure who has full access, read only access, and data transfer access.

Malicious elements

• Malicious host scripts: Are any malicious hosts actively stealing data? What can be done to fix this issue?
• Malicious scripts: Is the business currently using any first- or third-party script that has been corrupted and is exfiltrating data or modifying the web page or application in any way? What can be done to fix this issue?

Vulnerabilities

• Exploited vulnerabilities: Are there any known vulnerabilities currently being exploited? Is there a patch available to fix these vulnerabilities and which ones are the most critical to patch?
• Other vulnerabilities: Are there any known vulnerabilities that we can patch proactively to reduce client-side cyber risk? Is a patch available and how critical is it to patch the vulnerability now?

What pentesting, vulnerability assessment, and security assessment limitations exist?

Typically, pentests, vulnerability assessments, and security assessments are performed as short-term projects that are repeated on a quarterly or annual basis. Finding good pentesters is hard and they demand a high wage because of the specialized skill set and experience they possess. Many organizations hire a managed security service provider (MSSP) to conduct the pentest.

Let’s assume that a penetration test or assessment is 100% accurate and provides actionable results. That’s great. However, results are a snapshot in time, which means hackers have the ability to execute attacks between quarterly or annual assessments. Additionally, hackers are always looking for new vulnerabilities to exploit and likely will know about new exploits before a pentest has been completed. Relying on quarterly or annual vulnerability assessments is a great start, but companies still remain exposed to breaches. Ultimately, threats and threat actors can move much faster than any company.

Penetration tests and assessments also present limitations because they:

• Are time and resource intensive.
• Are limited in scope to certain applications, technologies, and networks.
• Require a skilled consultant, tester, or employee with the know-how to be successful.
• Rely on the use of specialized tools and technologies to uncover vulnerabilities and threats.

Are pentests, vulnerability assessments, and security assessments right for me?

Yes! Yes they are! They are a necessary aspect of any cybersecurity program. But keep in mind that they are not continuous. The information gleaned during a pentest or assessment represents only those issues that exist at that moment, and there might be a laundry list of new vulnerabilities and issues that a different pentest or assessment will uncover in a week or a month. Threat actors move faster than any government or business. To stay ahead of the threat, you need more than a period-in-time pentest or vulnerability assessment.

Learn more about JavaScript security

Read about JavaScript front-end assessments and how to improve client-side, JavaScript security in our new e-book The Ultimate Guide to Client-Side Security.

If you maintain a website to support your end users as part of your business model, then client-side security is crucial. Download this free e-book to get a better understanding of the client side and how you can protect your business and your customers from web skimming, cross-site scripting, formjacking, and the multitude of other cyberthreats attacking the front end of your web applications.