Magecart PCI Advisory on CSP

August 2nd, 2019

Content Security Policy - CSP

An important update from the Payment Card Industry Security Standard Council was issued August 1st defining a set of recommendations and guidance to address the growing threat posed by #magecart.

As many as 5000 websites are successfully attacked each month leveraging a nearly universal client-side website security flaw that is targeted by the Magecart group.  The PCI Council’s guidance specified:


"Third party scripts should be monitored to detect changes and the changes be reviewed to identify any potentially malicious code before implementation. Using Content Security Policies (CSP) to restrict compliant browsers from executing JavaScript from sources which have not been explicitly whitelisted is…an added protection that should be incorporated."


The PCI-DSS framework offers implementation-based requirements and strategies for enabling, storing, transiting and securing payment card transactions. The PCI framework provides thorough definition for payment card data “in motion” and “at rest”.  This advisory is likely intended to address a critical omission in the current payment card lifecycle– data origination. Websites are now a primary and growing data origination point for payment data as consumers have embraced E-Commerce and website purchasing.

Today’s internet-based marketplace is driven by continuous innovation focused on streamlining the exchange of goods and services. This digital transformation includes a web-based economy where a primary and growing entry point of customer payment data is a website.  Cardholders navigate to websites and readily and routinely enter payment card data.  Providing this website, or data origin point for payment data simultaneously creates a security and privacy obligation for the website owner. As the website is property of the organization and is a primary conduit through which e-commerce can be conducted, it is incumbent on the website owner to ensure the origination point is secure.

Attackers, like Magecart, have increasingly targeted the website as it represents an attractive and vulnerable entry point for accessing customer payment data at mass scale.  Instead of directly targeting the defenses of the highly secured website owner, Magecart attackers follow the path of least resistance; targeting the website supply chain’s weakest link, the vulnerable client-side website security infrastructure.

The scope of potential damages resulting from this client-side vulnerability are extensive:

  • Data Skimming
  • Payment Card Skimming
  • Formjacking
  • Keylogging
  • Screen Scraping
  • Clickjacking
  • Phishing
  • Web Injection
  • Ad Injection
  • Session Redirect
  • Form Field Manipulation
  • Defacement
  • Malware, Banking Trojan, and Ransomware Distribution

The PCI Council has recognized the need to account for this client-side website vulnerability and lead to a set of security recommendations that includes the deployment of CSP.  So what is CSP and how can it help?  Following is an overview of CSP including frequently asked questions and some of the challenges associated with deploying CSP. 

What is Content Security Policy (CSP)?

CSP is a browser-native security standard from the W3C (World-Wide Web Consortium). CSP provides protection against client-side attacks including cross-site scripting, protocol downgrade attacks, clickjacking, third-party JavaScript compromises (e.g., Magecart), ad-injections, session redirects and content injection attacks.  CSP policies can be configured to detect attacks or block/prevent attacks.

How does CSP work?

CSP protects against client-side attacks by restricting the code, content and data exchange that occurs on a website. Any violation of standards-based policies will result in the browser preventing the offending behavior. Some of the world’s leading websites have implemented CSP protection.

What does the CSP policy contain, and how does it block attacks?

The CSP policy contains support for over a dozen directives such as script-src, img-src, font-src, etc.  Each policy directive allows website owners to enable website security controls like restricting domains from which a specific resource can be loaded, domains that the browser can make connections to, domains that the browser can send information to, and asserting the integrity of executable content such as inline scripts, etc.

How is CSP deployed ?

When a user goes to a website that has implemented CSP, the browser receives CSP policies together with requested website content over normal HTTP traffic. CSP is already defined in browser code and can be interpreted by all modern PC and mobile browsers.  The browser is natively equipped to interpret the policies and enforces the security definitions to detect and block attacks.

As a website owner, do my website visitors/users have to download any extensions or plugins?

No. CSPs activate browser-native security controls and do not require any software download, plugins or extensions. This makes security completely transparent to the end user. In addition, since CSP is natively integrated into every browser, onboard overhead is activated as opposed to adding additional security overhead.  This delivers valuable protection without performance degradation.

Which browsers have adopted CSP?

Most, if not all, of the major browsers offer support for CSP. CSP is available on both mobile as well as PC platforms. You can get more details on browser support at caniuse.com by searching for CSP: https://caniuse.com/#search=csp target="_blank".

What are some examples of CSP?

One CSP policy directive, script-src, can be used to restrict the domains that can load JavaScript onto the browser. This is particularly useful in preventing unauthorized or malicious JavaScript from getting executed such as in Magecart attacks.  Another policy, frame-src, can be used to restrict the domains that can load iFrames onto the browser.  The form-action and connect-src CSP policy directives can be used to restrict the domains that can receive website-form information and restrict domains to which the user’s browser can make connections. This can help detect and block unauthorized data exfiltration attempts.

What type of reporting is available with CSP?

CSP policies support reporting: report-uri or report-to directives that are used to instruct the browser to send violation alerts. CSP also provides an alerting capability - if the policy specifies an alerting endpoint, the browser will send an alert that a violation has taken place.

What are some of the challenges of implementing CSP?

Implementing CSP manually can be administratively complex and time consuming for security teams. In addition, since websites operate dynamically and are upgraded regularly this requires continuous adjustment to CSP. Errors in CSP could end up breaking the website and poorly written policies do not offer much security benefit. In addition, although CSP provides valuable insight into website attacks and behaviors, its alert volume can quickly overwhelm security teams. 

How can Tala Security help?

One of Tala’s core features is the dynamic deployment and continuous adjust of CSP. We completely automate the process of policy generation, policy updating, policy implementation, alert analytics and incident management. With Tala, a website can be up and running with a CSP policy in minutes. Website attacks are prevented in real time, website performance is preserved and the need for costly and continuous administration, remediation or incident response is minimized.

How does Tala Security work?

Tala leverages an AI-assisted analytics engine that evaluates over 50 unique indicators of a web page’s architecture and integrations. This comprehensive and continuous insight allows Tala to identify and automate the optimal deployment and dynamic adjustment of native, standards-based web security policies like Content Security Policies (CSP), Subresource Integrity (SRI), HTTP Strict Transport Security (HSTS) and other evolving web security standards.

Where can readers go to learn more about Tala, Magecart attacks and client-side web security?

Tala’s blog on our website and our social media channels, LinkedIn and Twitter (@talasec) include a lot of educational content. Education and awareness around Magecart and website security are sorely lacking and it is the #1 reason why Magecart has been successful. Enterprises interested in understanding their risk exposure to Magecart and other  client-side website vulnerability can get in touch with us by emailing websitenotify@talasecurity.io. We can offer a comprehensive risk analysis and Magecart simulation to help customers understand and guard against these types of attacks.

Aanand Krishnan, CEO and Founder of Tala Security

Written by Aanand Krishnan, CEO and Founder of Tala Security

CEO and Founder of Tala Security