topic magecart mitigation in Tech Talk https://community.isc2.org/t5/Tech-Talk/magecart-mitigation/m-p/14749#M456 <P>I have created an electron app to simulate magecart entirely client side (so not a true reflection).</P><P>&nbsp;</P><P>It's at&nbsp;<A href="https://github.com/kempy007/magecart-shim" target="_blank">https://github.com/kempy007/magecart-shim</A></P><P>&nbsp;</P><P>Does anyone know of any techniques that could mitigate this risk?</P><P>&nbsp;</P><P>Owasp have a good article here <A href="https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet" target="_blank">https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet</A></P><P>&nbsp;</P><P>However I don't feel it would be possible to prevent a script coming from client side from scraping the data, what the owasp article mentions would all be server side control.</P><P>&nbsp;</P> Wed, 19 Sep 2018 07:55:45 GMT Kempy 2018-09-19T07:55:45Z magecart mitigation https://community.isc2.org/t5/Tech-Talk/magecart-mitigation/m-p/14749#M456 <P>I have created an electron app to simulate magecart entirely client side (so not a true reflection).</P><P>&nbsp;</P><P>It's at&nbsp;<A href="https://github.com/kempy007/magecart-shim" target="_blank">https://github.com/kempy007/magecart-shim</A></P><P>&nbsp;</P><P>Does anyone know of any techniques that could mitigate this risk?</P><P>&nbsp;</P><P>Owasp have a good article here <A href="https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet" target="_blank">https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet</A></P><P>&nbsp;</P><P>However I don't feel it would be possible to prevent a script coming from client side from scraping the data, what the owasp article mentions would all be server side control.</P><P>&nbsp;</P> Wed, 19 Sep 2018 07:55:45 GMT https://community.isc2.org/t5/Tech-Talk/magecart-mitigation/m-p/14749#M456 Kempy 2018-09-19T07:55:45Z Re: magecart mitigation https://community.isc2.org/t5/Tech-Talk/magecart-mitigation/m-p/14751#M458 <P>The best answer to mitigate this threat is to implement content security policy headers.</P><P>&nbsp;</P><P><A href="https://www.pluralsight.com/courses/defending-javascript-keylogger-attacks-pci" target="_blank">https://www.pluralsight.com/courses/defending-javascript-keylogger-attacks-pci</A></P> Wed, 19 Sep 2018 13:11:51 GMT https://community.isc2.org/t5/Tech-Talk/magecart-mitigation/m-p/14751#M458 Kempy 2018-09-19T13:11:51Z