98 percent of top US websites not prepared against attacks
Most websites within the Alexa 1000 ranking in the US are not prepared to face advanced client-side attacks like Magecart according to analysis carried out by Tala Security.
Findings from the Tala 2019 State of the Web Report show the average website relies on 31 third-parties. Nearly two-thirds (63 percent) of the externally loaded JavaScript code executed in the browser is either written by and/or managed by third-parties.
Most sites use forms to collect PII and financial data from the user. This form data is defined by the website owner's code architecture to be intentionally sent to an average of 1.6 domains. However, in reality, due to the reliance on third-party integrations, form data is exposed to an average of 15.7 third-party domains.
In addition 87 percent of websites were found to include innerHTML, which allows JavaScript code to manipulate a website being displayed. This is a common injection point attackers use to launch Cross-Site Scripting attacks.
Dynamic JavaScript code was found to exist in more than 60 percent of websites. This code is not loaded statically, but is instead loaded via a static JavaScript command. This kind of 'piggybacking' creates a greater attack surface for hackers to exploit.
"The number one enemy of enterprise website security is lack of awareness about what's 'under the hood' from an integration and architecture standpoint. This is basically a website's 'supply chain'," says Aanand Krishnan, founder and CEO of Tala Security. "The fundamental issue with the way today's websites are secured is that user data is greatly exposed to third-party applications and services that have not been properly vetted. While Magecart is the most well-known, there are many other attacks that leverage client-side vulnerability. It's imperative that organizations keep security top-of-mind and expand their perspective on what has become a pervasive attack vector -- the organization's website."
You can find out more in the full report which is available from the Tala site.
Image credit: Gajus-Images / depositphotos.com