JavaScript security: The importance of prioritizing the client side

In this interview with Help Net Security, Vitaliy Lim, CTO at Feroot, talks about the most common JavaScript threats, the devastating impact of malicious or vulnerable code, and the importance of JavaScript security in the development process.

We’re hearing a lot of JavaScript threats in the news these days. Can you tell us a little bit about these threats and why they’re so dangerous?

JavaScript is a really easy programming language to hack. Hackers and attackers can easily input query strings into the JavaScript code on web applications to access, steal, or contaminate protected data. So, any vulnerable or malicious JavaScript code that ends up in a web application is going to present significant risks to an organization.

In addition, these days most front-end developers assemble web applications from scripts found in third-party libraries. If the code found in the libraries is dangerous—for example, it’s poorly written or intentionally malicious—then the entire JavaScript software supply chain has been compromised. Also, sometimes internal business staff inadvertently place vulnerable JavaScript tags in a sensitive location in the web application—for example near a login where the tag might be able to capture user credentials. Finally, JavaScript is used in approximately 98% of the websites worldwide. This creates a huge attack surface for threat actors.

The types of threats that are most common on front-end or ‘client side’ web applications are e-skimming, formjacking, and cross-site scripting (XSS). Magecart attacks are another common client-side threat targeting organizations.

In terms of the dangers, if an organization becomes the victim of a client-side attack, they may not know it immediately, particularly if they’re not using an automated monitoring and inspection security solution. Sometimes it is an end-user victim (like a customer) that finds out first, when their credit card or PII has been compromised. The impact of these types of client-side attacks can be severe. If the organization has compliance or regulatory concerns, then investigations and significant fines could result.

Other impacts include costs associated with attack remediation, operational delays, system infiltration, and the theft of sensitive credentials or customer data. There are long-term consequences, as well, such as reputation damage and lost customers. If the attack is on a B2B web application, then upstream attacks may also occur on the organization’s clients, depending on the type of data that has been stolen.

What kind of impact do third-party JavaScript libraries and pre-written JavaScript code have on front-end security?

With 80% of all web applications assembled using third-party JavaScript libraries, any malicious or vulnerable code found in those libraries can have some pretty big consequestions. There are a couple of things going on here.

First, there are malicious actors using these third party libraries to spread malware and launch attacks. For example, a recent industry study found over 1,300 malicious packages in the JavaScript npm package manager.

Second, sometimes the script found in the third-party library is just poorly written. The code may include tracking or social media tags that get inappropriately installed and end up capturing and sharing sensitive information, like login credentials.

Ultimately, third-party JavaScript libraries are part of the software supply chain and, from a security perspective, they need to be treated as such.

Why is client-side security important and why should businesses prioritize it?

This is a really important question. Attacks against the client side are growing. In fact, industry research found that web application attacks are increasing by roughly 25% each quarter. Add to this the inherent insecurity of JavaScript and the fact that 98% of all websites use JavaScript and you have the makings for a perfect cybercrime storm.

Compliance is also a major concern. Regulatory mandates like GDPR and HIPAA, as well as regulations specific to the financial sector, mean that governments are putting a lot of pressure on organizations to keep sensitive user information safe. Failing to do so can mean investigations and substantial fines.

Right now, a lot of organizations are focused on back-end or ‘server-side’ security. To an extent this is understandable. There’s a lot of news out there about zero days, ransomware, software vulnerabilities, etc., and no one wants to become the latest victim. But ignoring security on the client side is kind of like only insuring half your house—which, of course, no one would ever consider doing. When it comes to business systems, it is incredibly important to secure both the front end and the back end. Businesses need to begin to prioritize the client side.

Give us your thoughts on the future of client-side and JavaScript security.

This is a great question. According to the Stack Overflow 2021 Developer Survey, JavaScript is the most popular programming language, used by almost 70% of all professional developers. Use of JavaScript web frameworks also dominate among professional developers. And 98% of all websites use JavaScript, according to W3Techs. So, the reality is that JavaScript dominates the web application programming world, and it isn’t going anywhere anytime soon.

Knowing this, the importance of client-side security and JavaScript security becomes apparent. With client-side attacks growing exponentially and with increasing compliance and regulatory pressures to protect end user data, businesses will increasingly find that JavaScript security is an absolute necessity. And the old ways of securing JavaScript—such as manual code reviews (which are incredibly time and labor intensive)—simply won’t be sustainable. Organizations will need to automate their monitoring and inspection solutions to help protect their client side.

Share with us a little more about Feroot Security and how your products and solutions help solve for client-side attacks.

We founded Feroot Security based on the belief that everyone should be able to do business securely online, without risk of data compromise. End users shouldn’t have to feel worried when they go to a B2B or B2C website that their sensitive personal and financial information is going to be stolen. We designed our products to help organizations understand and uncover vulnerabilities on the front end, including supply chain risks, and to protect and secure their client side so their customers can engage safely with the website.

Our product—Inspector—provides automated client-side attack surface monitoring that helps a business discover all the client-side assets and any vulnerable or malicious scripts located on those assets in just a few minutes. Inspector scans for and locates client-side JavaScript security vulnerabilities and reports on them, and provides specific client-side threat remediation advice to security teams in real-time. With Inspector, customers are able to conduct constant client-side attack surface management and defense.

The PageGuard solution is based on the zero trust model. It constantly scans and monitors the client side and automatically applies JavaScript security configurations. PageGuard can classify mapped JavaScript assets, monitor, detect, and manage new scripts, changes, or third-party scripts, and deploy customer data exfiltration security capabilities, among other things.