Universal Website Vulnerability

A universal vulnerability exists on your website that prevents you from controlling customer and payment data and provides hackers with unlimited access to website and customer data. Worse, current security capabilities cannot prevent this attack vector.

This security flaw is introduced through the supply chain vendors that are integrated into websites to enhance user experience and drive analytics. Every commercial website includes dozens of these integrations. Unfortunately, these JavaScript tools, introduce a client-side website vulnerability that leaves every website exposed.

The JavaScript code included in the website served to your customers is often reviewed prior to deployment and even periodically as part of pragmatic security practices. This code simply initiates a connection with the corresponding 3rdparty server. However, the JavaScript code hosted on that 3rd party server may not remain static or unaltered and can even be entirely replaced by opportunistic hackers seeking malicious access. This attack vector takes advantage of the unmanaged connection between the 3rd party server and the client browser to gain unlimited access to the webpage DOM enabled by JavaScript. This grants the hacker the same privileges as the website owner allowing a hacker to assume total control over web pages.

3rd Party Vulnerabilities without Source Defense

Source Defense Solution – How it Works

Source Defense’s VICE. (Virtual iFrame Containment Enclosure) patent-pending engine handles scripts without requiring special (out of standard) changes to it. It creates a virtual enclosure, somewhat like a web session sandbox, insulating the web session from 3rd party tools ensuring only desired privileges and functionality are exposed to the 3rd party and that the customer experience is as optimally desired.

Source Defense prevents this vulnerability through first-of-its-kind isolation and segmentation technology. A virtual iFrame containment enclosure isolates the user web experience from all 3rd party JavaScript tools. A virtual page is inserted between the customer-facing page and the 3rd party JavaScript creating a virtual sandbox. This JavaScript isolation allows granular control of policies ensuring the customer-facing experience is insulated from malicious activity and that private customer data is not accessible to the website supply chain vendor or a hacker that has compromised the session. This approach preserves user experience and website integrity, and ensures customer data privacy which is critically important for compliance considerations including GDPR.

Source Defense Cloud Solution

Source Defense’s VICE. (Virtual iFrame Containment Enclosure) patent pending engine is dynamically and transparently loaded into the visitor’s browser, allowing it to react in real time to each action the script is taking. Each 3rd party JavaScript is isolated inside a virtual page that is a reflection of the original page minus what the 3rd party is not supposed to see. Once the JavaScript creates the HTML elements, the security policies are consulted and if the elements created in the virtual page are in line with the policies set for this 3rd party, it will be moved to the page.

Essentially each 3rd party script has access to see only the DOM elements that are allowed by the administrator. This very robust and immune methodology allows Source Defense to deal with multiple attack-vectors such as DOM events, elements attributes, CSS, cookies, move elements/nodes around the DOM, block/allow URL’s and much more.

The Source Defense solution was purpose-built for simple integration and administration. Deployment is simplified and requires copy/paste of two lines of provided JavaScript into the header of the page. Configuration is automated and supported by machine learning to keep policies continuously updated without the need for manual intervention. The ultra-low-touch system design transparently provides prevention level security with customizable alerts designed to provide FYI-only visibility into attempted malicious and unwanted activity.

Two step implementation

It‘s time to take back the control of your website and ensure it’s secure operation.

Start typing and press Enter to search