Dynamically included script is usually good, but no good deed goes unpunished.

Gary Glover, Director of Security Assessment
By: Gary Glover
The following post is a segment in the Auditing Archives series. Hopefully the security failures I’ve seen while auditing businesses will help inspire better practices to ensure your own business security.

Virtually all ecommerce sites add or include third party scripts to their website. Google Analytics, for example, provides a free, in-depth view into site traffic and visitor demographics. Other common third parties include widget manufacturers, marketing firms, and social media platforms.

SEE ALSO: PCI 3.0: What You Need to Know

The problem comes when a web developer includes third party script on pages that accept sensitive information (e.g., payment page, login page). If that third party script code has been compromised and modified to perform additional or other actions than its original intention, a hacker could use the modified script to glean sensitive data from the page. This new ‘evil script’ can locate stored variable values (credit card numbers, passwords, and other sensitive information) and send them back to its creator.


Check out the Slideshare.


Was this post informative? If so, please share!

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.
Wednesday, July 30, 2014