Auditing Archives Series
The Case of the Evil JavaScript
Business background
Small ecommerce parts
dealer hired third party
analytics expert to track site
statistics.
Business background
Included third party’s JavaScript on all website pages,
including customer checkout page.
Script dynam...
What is included JavaScript
(or included code)?
JavaScript is programming script language used when writing
a website that...
How hackers could get in
Cybercriminals could successfully
hack third party server that hosted
analytic JavaScript.
They c...
How hackers could get in
Malicious JavaScript could copy payment
information each time a customer entered a credit
card on...
What the business did wrong
Dynamically including third party
JavaScript on a page that
accepts sensitive information
(e.g...
What the business did wrong
Ecommerce merchant should
have requested assurance
from third party of strong
server security ...
What the business did wrong
Don’t assume the third party
is responsible. Remember,
anything written or included
on a merch...
SecurityMetrics
We Protect Business
Services
PCI, HIPAA, & data
security solutions for
businesses of all sizes
Qualificati...
Upcoming SlideShare
Loading in...5
×

Auditing Archives: The Case of the Evil Java Script

397

Published on

Virtually all ecommerce sites add or include third party scripts to their website. The problem comes when a web developer includes third party script on pages that accept sensitive information (e.g., payment page, login page).

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
397
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Auditing Archives: The Case of the Evil Java Script"

  1. 1. Auditing Archives Series The Case of the Evil JavaScript
  2. 2. Business background Small ecommerce parts dealer hired third party analytics expert to track site statistics.
  3. 3. Business background Included third party’s JavaScript on all website pages, including customer checkout page. Script dynamically loads from third party servers each time page loads.
  4. 4. What is included JavaScript (or included code)? JavaScript is programming script language used when writing a website that interacts with a user’s browser. These scripts can be written by company developers or included from external web sources.
  5. 5. How hackers could get in Cybercriminals could successfully hack third party server that hosted analytic JavaScript. They could rewrite the script so it would secretly search for and access any information contained on or entered into web pages it was included on.
  6. 6. How hackers could get in Malicious JavaScript could copy payment information each time a customer entered a credit card on the small parts dealer’s checkout page.
  7. 7. What the business did wrong Dynamically including third party JavaScript on a page that accepts sensitive information (e.g., login pages, payment pages) is not a secure practice.
  8. 8. What the business did wrong Ecommerce merchant should have requested assurance from third party of strong server security and constant checking of scripts to ensure they are not modified.
  9. 9. What the business did wrong Don’t assume the third party is responsible. Remember, anything written or included on a merchant’s ecommerce website is their own responsibility.
  10. 10. SecurityMetrics We Protect Business Services PCI, HIPAA, & data security solutions for businesses of all sizes Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×