Hacked? You can still prevent the damage.
Build a second line of defense in one line!
Is it possible that one line of code could save millions of dollars and to avoid bad reputation for the company?
Let us suppose that your company’s website is vulnerable to Cross Site Scripting (XSS) attack.
Let us suppose that your website was hacked.
XSS vulnerability is included constantly in OWASP Top Ten Web Application attacks and happens to be one the easiest attacks to contribute and to exploit.
Well, in British Airways that was the real case.
During late 2018 British Airways customers' payment and personal data has been compromised. (British Airways eventually confirmed that compromised data included names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV code).
Approximately 500 000 customers have been victimized by this attack.
This caused a serious reputation damage and actual fines from the authorities.
Surprisingly, one line of code could prevent this security breach and save British Airways from these sad consequences.
It is important to emphasize that the following mechanism would not protect the organization, however, it would significantly downgrade the damage and prevent attackers from leaking sensitive data.
In this case exploiting XSS would not provide the hackers with any significant value.
While applying CSP policy that prevents sending data to an unauthorized address or services is easy to conduct.
Nevertheless, the majority of websites do not include this security mechanism into their website configurations, and by that, giving up for one the most important security layers.
Applying CSP policy may require deep knowledge of your website since the following policy may easily block crucial services that will cause disruption and/or termination of website’s expected functionality.
Recently, malicious actors found various evasive techniques to pass through regular CSP protection.
Hence, to avoid this, the remediation is to tighten to the maximum CSP configurations and to adjust it specifically to your website.
In order to prevent future web application attacks similar to this, applying mechanisms such as CSP policy is highly recommended.
MagniSec Web App Hardening provides fully adjustable, to your website and services, CSP policy implementation in one click.
For preventing bypassing attempts of CSP policy, MagniSec offers additional professional services.