SlideShare a Scribd company logo

Auditing Archives: The Case of the Evil Java Script

Download as PPTX, PDF
SecurityMetrics
SecurityMetrics

Virtually all ecommerce sites add or include third party scripts to their website. The problem comes when a web developer includes third party script on pages that accept sensitive information (e.g., payment page, login page).

Small Business & Entrepreneurship
1 of 10
Auditing Archives Series The Case of the Evil JavaScript
Business background Small ecommerce parts dealer hired third party analytics expert to track site statistics.
Business background Included third party’s JavaScript on all website pages, including customer checkout page. Script dynamically loads from third party servers each time page loads.
What is included JavaScript (or included code)? JavaScript is programming script language used when writing a website that interacts with a user’s browser. These scripts can be written by company developers or included from external web sources.
How hackers could get in Cybercriminals could successfully hack third party server that hosted analytic JavaScript. They could rewrite the script so it would secretly search for and access any information contained on or entered into web pages it was included on.
How hackers could get in Malicious JavaScript could copy payment information each time a customer entered a credit card on the small parts dealer’s checkout page.
What the business did wrong Dynamically including third party JavaScript on a page that accepts sensitive information (e.g., login pages, payment pages) is not a secure practice.
What the business did wrong Ecommerce merchant should have requested assurance from third party of strong server security and constant checking of scripts to ensure they are not modified.
What the business did wrong Don’t assume the third party is responsible. Remember, anything written or included on a merchant’s ecommerce website is their own responsibility.
SecurityMetrics We Protect Business Services PCI, HIPAA, & data security solutions for businesses of all sizes Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs

Recommended

Qone8.com
Qone8.comQone8.com
Qone8.comjanglinghan
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkSecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeSecurityMetrics
 
GamaSec web vulnerability remediation as a service
GamaSec web vulnerability remediation as a serviceGamaSec web vulnerability remediation as a service
GamaSec web vulnerability remediation as a serviceAvi Bartov
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Webandres1422
 
Compromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersCompromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersAndrey Apuhtin
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfyashvirsingh48
 

Recommended

Qone8.com
Qone8.comQone8.com
Qone8.comjanglinghan
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkSecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeSecurityMetrics
 
GamaSec web vulnerability remediation as a service
GamaSec web vulnerability remediation as a serviceGamaSec web vulnerability remediation as a service
GamaSec web vulnerability remediation as a serviceAvi Bartov
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Webandres1422
 
Compromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersCompromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersAndrey Apuhtin
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfyashvirsingh48
 
Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)Massimo Paolini
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
XSS Exploitation
XSS ExploitationXSS Exploitation
XSS ExploitationHacking Articles
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
CLIENT SIDE PROCESSING.pptx
CLIENT SIDE PROCESSING.pptxCLIENT SIDE PROCESSING.pptx
CLIENT SIDE PROCESSING.pptxagniva pradhan
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...HakTrak Cybersecurity Squad
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecuritySrivigneshwar R Prasad
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceRitwik Das
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Nordic APIs
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraudWebSitePulse
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET Journal
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10Arthur Shvetsov
 
Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality CheckSecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 

More Related Content

Similar to Auditing Archives: The Case of the Evil Java Script

Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)Massimo Paolini
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
CLIENT SIDE PROCESSING.pptx
CLIENT SIDE PROCESSING.pptxCLIENT SIDE PROCESSING.pptx
CLIENT SIDE PROCESSING.pptxagniva pradhan
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...HakTrak Cybersecurity Squad
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceRitwik Das
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Nordic APIs
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraudWebSitePulse
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET Journal
 

Similar to Auditing Archives: The Case of the Evil Java Script (20)

Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)Google Analytics What's Next (SVCC 2010)
Google Analytics What's Next (SVCC 2010)
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
XSS Exploitation
XSS ExploitationXSS Exploitation
XSS Exploitation
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
CLIENT SIDE PROCESSING.pptx
CLIENT SIDE PROCESSING.pptxCLIENT SIDE PROCESSING.pptx
CLIENT SIDE PROCESSING.pptx
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci compliance
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
 
10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud
 
Security testing
Security testingSecurity testing
Security testing
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
 

More from SecurityMetrics

Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach SecurityMetrics
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical DevicesSecurityMetrics
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditSecurityMetrics
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101SecurityMetrics
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecurityMetrics
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? SecurityMetrics
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisSecurityMetrics
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA AuditSecurityMetrics
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesSecurityMetrics
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? SecurityMetrics
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data BreachSecurityMetrics
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationSecurityMetrics
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken MalwareSecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsSecurityMetrics
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?SecurityMetrics
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessSecurityMetrics
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseSecurityMetrics
 

More from SecurityMetrics (20)

Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data Compromise
 

Recently uploaded

How Multicultural Toys Helps in Child Development.pptx
How Multicultural Toys Helps in Child Development.pptxHow Multicultural Toys Helps in Child Development.pptx
How Multicultural Toys Helps in Child Development.pptxDiversity In Toys
 
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSESEXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSESMotiveflikr Media
 
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDCCARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDCFikrie Omar
 
Famedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . FullsailFamedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . Fullsailfergusonamani
 
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdfEnabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdfSmartinfologiks
 
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...StartupSprouts.in
 
Dàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptxDàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptxdmtillman
 
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893Health
 
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...Escorts service
 
Supply Chain Location Decision and Management
Supply Chain Location Decision and ManagementSupply Chain Location Decision and Management
Supply Chain Location Decision and Managementirahtarando
 
How to structure your pitch - B4i template
How to structure your pitch - B4i templateHow to structure your pitch - B4i template
How to structure your pitch - B4i templateFerruccio Martinelli
 
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...ZurliaSoop
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607dollysharma2066
 
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inEV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inStartupSprouts.in
 
Indian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girlsIndian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girlsMonica Sydney
 

Recently uploaded (15)

How Multicultural Toys Helps in Child Development.pptx
How Multicultural Toys Helps in Child Development.pptxHow Multicultural Toys Helps in Child Development.pptx
How Multicultural Toys Helps in Child Development.pptx
 
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSESEXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
 
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDCCARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
 
Famedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . FullsailFamedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . Fullsail
 
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdfEnabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
 
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
 
Dàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptxDàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptx
 
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
 
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
 
Supply Chain Location Decision and Management
Supply Chain Location Decision and ManagementSupply Chain Location Decision and Management
Supply Chain Location Decision and Management
 
How to structure your pitch - B4i template
How to structure your pitch - B4i templateHow to structure your pitch - B4i template
How to structure your pitch - B4i template
 
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
 
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inEV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
 
Indian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girlsIndian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girls
 

Auditing Archives: The Case of the Evil Java Script

  • 1. Auditing Archives Series The Case of the Evil JavaScript
  • 2. Business background Small ecommerce parts dealer hired third party analytics expert to track site statistics.
  • 3. Business background Included third party’s JavaScript on all website pages, including customer checkout page. Script dynamically loads from third party servers each time page loads.
  • 4. What is included JavaScript (or included code)? JavaScript is programming script language used when writing a website that interacts with a user’s browser. These scripts can be written by company developers or included from external web sources.
  • 5. How hackers could get in Cybercriminals could successfully hack third party server that hosted analytic JavaScript. They could rewrite the script so it would secretly search for and access any information contained on or entered into web pages it was included on.
  • 6. How hackers could get in Malicious JavaScript could copy payment information each time a customer entered a credit card on the small parts dealer’s checkout page.
  • 7. What the business did wrong Dynamically including third party JavaScript on a page that accepts sensitive information (e.g., login pages, payment pages) is not a secure practice.
  • 8. What the business did wrong Ecommerce merchant should have requested assurance from third party of strong server security and constant checking of scripts to ensure they are not modified.
  • 9. What the business did wrong Don’t assume the third party is responsible. Remember, anything written or included on a merchant’s ecommerce website is their own responsibility.
  • 10. SecurityMetrics We Protect Business Services PCI, HIPAA, & data security solutions for businesses of all sizes Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs