Cloudflare, the Internet infrastructure and security company that provides content delivery network services, DDoS mitigation, Internet security services, and domain name services to 25 million Internet properties, today expanded their offerings with a new service called Page Shield.
Page Shield is a client-side security offering that helps websites protect their users' information from supply chain and client-side attacks, such as Magecart.
Magecart is an umbrella term for several different threat groups who all use a similar digital skimmer attack on e-commerce websites. Digital skimming, also known as e-skimming, leverages vulnerabilities and injects malicious JavaScript into a targeted site in the hope of skimming credit card or digital payment information. Under regulations like GDPR and California Consumer Privacy Act (CCPA), failing to protect consumer's personal and financial details can be costly for companies. For example, in the UK, the Information Commissioner's Office (ICO) fined British Airways (BA) £20m for failing to protect more than 400,000 of its customers exposed via a Magecart attack.
Two methods of protecting against these types of attack surfaces include using a Content Security Policy (CSP) and Subresource Integrity (SRI). CSP enables application owners to send an allowlist to the browser, preventing any resource outside of those listed to execute. SRI enables application owners to specify an expected file hash for JavaScript and other resources. If the fetched file doesn’t match the hash, it is blocked from executing. While both offer protection against malicious script, each has drawbacks and limitations.
Cloudflare is positioning Page Shield to help customers address this threat without the operational complexity of maintaining things like the allow list in CSP. In addition, Page Shield can be quickly enabled from Cloudflare's site making integration quick and painless. "Because of where Cloudflare sits on the network when you visit a website that Cloudflare protects, you're visiting Cloudflare first. Because of this, we can modify the webpage as it comes through to a customer's site," says John Graham-Cumming, the CTO of Cloudflare. "One of the things that allow us to do is change HTTP headers, inject JavaScript, hash the page, and do all sorts of security-related things."
Cloudflare is part of a growing number of companies that operate between a customer's network and a cloud provider/on-prem network, or what the LFEdge calls the Service Provider Edge. The Service Provider Edge consists of infrastructure on the other side of the last mile network in what has been traditionally the space of Content Delivery Networks.
Cloudflare's location in the request path allows these real-time security changes to be enabled quickly without a significant developer investment from a customer’s team.
In the initial version of Page Shield, Cloudflare enables a feature they call Script Monitor. Script Monitor automatically injects and then leverages the HTTP Content-Security-Policy-Report-Only response header. The Content-Security-Policy-Report-Only response header allows violation reports to be generated on the site and sent back to Cloudflare.
The report enables Cloudflare to monitor what JavaScript is being executed on that page. Comparing the executing JavaScript on a site’s page to the site's historic dependencies of that zone, Cloudflare then alerts customers about changes to libraries on the site.
While the initial release monitors (not blocks scripts), follow-on releases to Page Shield according to Graham-Cumming will have much more capabilities. Future plans include leveraging machine learning to be able to classify threat patterns used by malicious actors like Magecart and offer active scanning to detect and block malicious scripts. "Ultimately, down the line, we'll allow customers to no longer directly use third-party JavaScript but pass it through us for inspection," says Graham-Cumming.
Supply chain and client-side attacks, such as Magecart, continue to evolve and have been part of several zero-day attacks. The risk to a company’s customers and potential fines are high. Cloudflare’s Page Shield joins available options such as CSP and SRI in combating the risk.
Starting today, business and enterprise Cloudflare customers can sign up to join the closed beta for Page Shield. By joining the beta, customers will be able to activate Script Monitor and begin monitoring their site's JavaScript.