SlideShare a Scribd company logo

Auditing Archives: The Case of the Evil Java Script

Download as PPTX, PDF
SecurityMetrics
SecurityMetrics

Virtually all ecommerce sites add or include third party scripts to their website. The problem comes when a web developer includes third party script on pages that accept sensitive information (e.g., payment page, login page).

Small Business & Entrepreneurship
1 of 10
Auditing Archives Series The Case of the Evil JavaScript
Business background Small ecommerce parts dealer hired third party analytics expert to track site statistics.
Business background Included third party’s JavaScript on all website pages, including customer checkout page. Script dynamically loads from third party servers each time page loads.
What is included JavaScript (or included code)? JavaScript is programming script language used when writing a website that interacts with a user’s browser. These scripts can be written by company developers or included from external web sources.
How hackers could get in Cybercriminals could successfully hack third party server that hosted analytic JavaScript. They could rewrite the script so it would secretly search for and access any information contained on or entered into web pages it was included on.
How hackers could get in Malicious JavaScript could copy payment information each time a customer entered a credit card on the small parts dealer’s checkout page.
What the business did wrong Dynamically including third party JavaScript on a page that accepts sensitive information (e.g., login pages, payment pages) is not a secure practice.
What the business did wrong Ecommerce merchant should have requested assurance from third party of strong server security and constant checking of scripts to ensure they are not modified.
What the business did wrong Don’t assume the third party is responsible. Remember, anything written or included on a merchant’s ecommerce website is their own responsibility.
SecurityMetrics We Protect Business Services PCI, HIPAA, & data security solutions for businesses of all sizes Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs

Recommended

Qone8.com
Qone8.comQone8.com
Qone8.com
janglinghan
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
Vishal Kumar
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
SecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
SecurityMetrics
 
GamaSec web vulnerability remediation as a service
GamaSec web vulnerability remediation as a serviceGamaSec web vulnerability remediation as a service
GamaSec web vulnerability remediation as a service
Avi Bartov
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Web
andres1422
 
Compromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersCompromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggers
Andrey Apuhtin
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
yashvirsingh48
 

Recommended

Qone8.com
Qone8.comQone8.com
Qone8.com
janglinghan
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
Vishal Kumar
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
SecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
SecurityMetrics
 
GamaSec web vulnerability remediation as a service
GamaSec web vulnerability remediation as a serviceGamaSec web vulnerability remediation as a service
GamaSec web vulnerability remediation as a service
Avi Bartov
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Web
andres1422
 
Compromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersCompromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggers
Andrey Apuhtin
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
yashvirsingh48
 
Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)
Massimo Paolini
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
XSS Exploitation
XSS ExploitationXSS Exploitation
XSS Exploitation
Hacking Articles
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
CLIENT SIDE PROCESSING.pptx
CLIENT SIDE PROCESSING.pptxCLIENT SIDE PROCESSING.pptx
CLIENT SIDE PROCESSING.pptx
agniva pradhan
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
Jakub Kałużny
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
HakTrak Cybersecurity Squad
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Srivigneshwar R Prasad
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
Sumanth Damarla
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci compliance
Ritwik Das
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
Osei Fortune
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud
WebSitePulse
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
AngelinaJasper
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET Journal
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
Arthur Shvetsov
 
Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
SecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
SecurityMetrics
 

More Related Content

Similar to Auditing Archives: The Case of the Evil Java Script

Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)
Massimo Paolini
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
Jakub Kałużny
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 

Similar to Auditing Archives: The Case of the Evil Java Script (20)

Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
XSS Exploitation
XSS ExploitationXSS Exploitation
XSS Exploitation
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
CLIENT SIDE PROCESSING.pptx
CLIENT SIDE PROCESSING.pptxCLIENT SIDE PROCESSING.pptx
CLIENT SIDE PROCESSING.pptx
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci compliance
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
 
10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud
 
Security testing
Security testingSecurity testing
Security testing
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
 

More from SecurityMetrics

The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
SecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
SecurityMetrics
 

More from SecurityMetrics (20)

Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data Compromise
 

Recently uploaded

Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
ZurliaSoop
 
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
StartupSprouts.in
 
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdfEnabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Smartinfologiks
 
Indian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girlsIndian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girls
Monica Sydney
 
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
Escorts service
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
dollysharma2066
 
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
Health
 
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inEV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
StartupSprouts.in
 

Recently uploaded (15)

Famedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . FullsailFamedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . Fullsail
 
How Multicultural Toys Helps in Child Development.pptx
How Multicultural Toys Helps in Child Development.pptxHow Multicultural Toys Helps in Child Development.pptx
How Multicultural Toys Helps in Child Development.pptx
 
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDCCARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
 
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSESEXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
 
How to structure your pitch - B4i template
How to structure your pitch - B4i templateHow to structure your pitch - B4i template
How to structure your pitch - B4i template
 
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
 
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
 
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdfEnabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
 
Indian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girlsIndian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girls
 
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
 
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
 
Dàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptxDàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptx
 
Supply Chain Location Decision and Management
Supply Chain Location Decision and ManagementSupply Chain Location Decision and Management
Supply Chain Location Decision and Management
 
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inEV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
 

Auditing Archives: The Case of the Evil Java Script

  • 1. Auditing Archives Series The Case of the Evil JavaScript
  • 2. Business background Small ecommerce parts dealer hired third party analytics expert to track site statistics.
  • 3. Business background Included third party’s JavaScript on all website pages, including customer checkout page. Script dynamically loads from third party servers each time page loads.
  • 4. What is included JavaScript (or included code)? JavaScript is programming script language used when writing a website that interacts with a user’s browser. These scripts can be written by company developers or included from external web sources.
  • 5. How hackers could get in Cybercriminals could successfully hack third party server that hosted analytic JavaScript. They could rewrite the script so it would secretly search for and access any information contained on or entered into web pages it was included on.
  • 6. How hackers could get in Malicious JavaScript could copy payment information each time a customer entered a credit card on the small parts dealer’s checkout page.
  • 7. What the business did wrong Dynamically including third party JavaScript on a page that accepts sensitive information (e.g., login pages, payment pages) is not a secure practice.
  • 8. What the business did wrong Ecommerce merchant should have requested assurance from third party of strong server security and constant checking of scripts to ensure they are not modified.
  • 9. What the business did wrong Don’t assume the third party is responsible. Remember, anything written or included on a merchant’s ecommerce website is their own responsibility.
  • 10. SecurityMetrics We Protect Business Services PCI, HIPAA, & data security solutions for businesses of all sizes Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs