What is formjacking?Without using SSL, what's the most secure way to make an AJAX request to a PHP page?Data...
Buying a "Used" Router
How can a kingdom keep the secret of a missing monarch from the public?
How bad is a Computer Science course that doesn't teach Design Patterns?
Is Apex Sometimes Case Sensitive?
What happens if you declare more than $10,000 at the US border?
Why is Bernie Sanders maximum accepted donation on actblue $5600?
Why is Shelob considered evil?
How to scroll to next div using Javascript?
Can you wish for more wishes from an Efreeti bound to service via an Efreeti Bottle?
Is it common to refer to someone as "Prof. Dr. [LastName]"?
Can I legally make a website about boycotting a certain company?
Badly designed reimbursement form. What does that say about the company?
How to encircle section of matrix in LaTeX?
TikZ-Tree with asymmetric siblings
What is the reason behind this musical reference to Pinocchio in the Close Encounters main theme?
Are encryption algorithms with fixed-point free permutations inherently flawed?
What if you do not believe in the project benefits?
How many copper coins fit inside a cubic foot?
Isn't a semicolon (';') needed after a function declaration in C++?
How to not forget my phone in the bathroom?
How can I portray body horror and still be sensitive to people with disabilities?
How to achieve physical gender equality?
Rudeness by being polite
Boss asked me to sign a resignation paper without a date on it along with my new contract
What is formjacking?
Without using SSL, what's the most secure way to make an AJAX request to a PHP page?Data needed for why not to load third party JavaScript on web page with credit card formWhat is this script supposed to do?What causes the descriptive text in HTTPS lock icons?What is this user trying to do?What action should you take when noticing someone elses site is compromisedWhat is the security impact of JavaScript minification?Can any one pls help me understand this code and what vulnerabilities exists?What are the security issues of exposing default server home page in public internet?What scenario does CORS protect against?
I just heard a very confused news broadcast about Symantec warning the world about the dangers of formjacking. The newsreader said it involved “hacking the form, not the website” whatever that means.
I googled around and found a Symantec blog post about it, where they describe the attack as follows:
- The attacker “injects” malicious JavaScript into the targeted webpage
- The user fills out the form on that webpage
- The JavaScript sends the entered data to the server of the attacker.
However, I would say that if an attacker has write access to the code on the server formjacking is the least of your concerns (and not the actual vulnerability – whatever gave them access is).
Why is formjacking the big deal (it was on the national news where I live) and not the fact that tons of websites (among which British Airways according to Symantec) have a ridiculously large vulnerability that allows attackers access to their servers?
javascript web information-gathering
asked 6 hours ago
1168411684
1566
New contributor
11684 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I just heard a very confused news broadcast about Symantec warning the world about the dangers of formjacking. The newsreader said it involved “hacking the form, not the website” whatever that means.
I googled around and found a Symantec blog post about it, where they describe the attack as follows:
- The attacker “injects” malicious JavaScript into the targeted webpage
- The user fills out the form on that webpage
- The JavaScript sends the entered data to the server of the attacker.
However, I would say that if an attacker has write access to the code on the server formjacking is the least of your concerns (and not the actual vulnerability – whatever gave them access is).
Why is formjacking the big deal (it was on the national news where I live) and not the fact that tons of websites (among which British Airways according to Symantec) have a ridiculously large vulnerability that allows attackers access to their servers?
javascript web information-gathering
asked 6 hours ago
1168411684
1566
New contributor
11684 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I just heard a very confused news broadcast about Symantec warning the world about the dangers of formjacking. The newsreader said it involved “hacking the form, not the website” whatever that means.
I googled around and found a Symantec blog post about it, where they describe the attack as follows:
- The attacker “injects” malicious JavaScript into the targeted webpage
- The user fills out the form on that webpage
- The JavaScript sends the entered data to the server of the attacker.
However, I would say that if an attacker has write access to the code on the server formjacking is the least of your concerns (and not the actual vulnerability – whatever gave them access is).
Why is formjacking the big deal (it was on the national news where I live) and not the fact that tons of websites (among which British Airways according to Symantec) have a ridiculously large vulnerability that allows attackers access to their servers?
javascript web information-gathering
asked 6 hours ago
1168411684
1566
New contributor
11684 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I just heard a very confused news broadcast about Symantec warning the world about the dangers of formjacking. The newsreader said it involved “hacking the form, not the website” whatever that means.
I googled around and found a Symantec blog post about it, where they describe the attack as follows:
- The attacker “injects” malicious JavaScript into the targeted webpage
- The user fills out the form on that webpage
- The JavaScript sends the entered data to the server of the attacker.
However, I would say that if an attacker has write access to the code on the server formjacking is the least of your concerns (and not the actual vulnerability – whatever gave them access is).
Why is formjacking the big deal (it was on the national news where I live) and not the fact that tons of websites (among which British Airways according to Symantec) have a ridiculously large vulnerability that allows attackers access to their servers?
javascript web information-gathering
javascript web information-gathering
asked 6 hours ago
1168411684
1566
New contributor
11684 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
1168411684
1566
New contributor
11684 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
1168411684
1566
New contributor
11684 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
1168411684
1566
asked 6 hours ago
1168411684
1566
1566
New contributor
11684 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
11684 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
11684 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The Symantec article you are referring to is like this one.
Looking at the graphic:
Point 1 is what is generally the most interesting to security researchers, because that is where the vulnerability is.
Points 2 and 3 just show what might be possible with such a vulnerability. For example, JavaScript can be used in phishing attacks (show a fake form) or to read out any data the user enters into forms. This is what Symantec calls formjacking, but it's of course nothing new.
Their article also has a section "How are websites being compromised?", which will likely interest you.
Vulnerabilities do indeed include the option to change server-side code, though not necessarily of the main application, but especially in JavaScript dependencies.
Issues with including 3rd party JavaScript are of course nothing new either. Burp eg calls it Cross-domain script include, and OWASP warns about it as well. Including 3rd party scripts always requires complete trust in the 3rd party as well as trust in their security processes.
Why is formjacking the big deal
Good marketing on the part of Symantec?
edited 29 mins ago
aloisdg
1033
answered 5 hours ago
timtim
23.4k66397
add a comment |
I agree. Formjacking is not a vulnerability, but a type of attack, that can be executed if the attacker already has write-access to the webroot of the victim, or on the webroot of another site, that has full trust of the victim.
Therefore, Formjacking might also be an issue, if the victims webroot is safe, but they dynamically include third-party code or just try to serve ads, which also frequently leads to malformed trust relation ships.
Formjacking is interesting, as the victim of the attack is the customer of the company, the attacker is targeting and groups like Magecart have already earned quite some money with it.
answered 5 hours ago
Euphrasius von der HummelwieseEuphrasius von der Hummelwiese
28913
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
11684 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203987%2fwhat-is-formjacking%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The Symantec article you are referring to is like this one.
Looking at the graphic:
Point 1 is what is generally the most interesting to security researchers, because that is where the vulnerability is.
Points 2 and 3 just show what might be possible with such a vulnerability. For example, JavaScript can be used in phishing attacks (show a fake form) or to read out any data the user enters into forms. This is what Symantec calls formjacking, but it's of course nothing new.
Their article also has a section "How are websites being compromised?", which will likely interest you.
Vulnerabilities do indeed include the option to change server-side code, though not necessarily of the main application, but especially in JavaScript dependencies.
Issues with including 3rd party JavaScript are of course nothing new either. Burp eg calls it Cross-domain script include, and OWASP warns about it as well. Including 3rd party scripts always requires complete trust in the 3rd party as well as trust in their security processes.
Why is formjacking the big deal
Good marketing on the part of Symantec?
edited 29 mins ago
aloisdg
1033
answered 5 hours ago
timtim
23.4k66397
add a comment |
The Symantec article you are referring to is like this one.
Looking at the graphic:
Point 1 is what is generally the most interesting to security researchers, because that is where the vulnerability is.
Points 2 and 3 just show what might be possible with such a vulnerability. For example, JavaScript can be used in phishing attacks (show a fake form) or to read out any data the user enters into forms. This is what Symantec calls formjacking, but it's of course nothing new.
Their article also has a section "How are websites being compromised?", which will likely interest you.
Vulnerabilities do indeed include the option to change server-side code, though not necessarily of the main application, but especially in JavaScript dependencies.
Issues with including 3rd party JavaScript are of course nothing new either. Burp eg calls it Cross-domain script include, and OWASP warns about it as well. Including 3rd party scripts always requires complete trust in the 3rd party as well as trust in their security processes.
Why is formjacking the big deal
Good marketing on the part of Symantec?
edited 29 mins ago
aloisdg
1033
answered 5 hours ago
timtim
23.4k66397
add a comment |
The Symantec article you are referring to is like this one.
Looking at the graphic:
Point 1 is what is generally the most interesting to security researchers, because that is where the vulnerability is.
Points 2 and 3 just show what might be possible with such a vulnerability. For example, JavaScript can be used in phishing attacks (show a fake form) or to read out any data the user enters into forms. This is what Symantec calls formjacking, but it's of course nothing new.
Their article also has a section "How are websites being compromised?", which will likely interest you.
Vulnerabilities do indeed include the option to change server-side code, though not necessarily of the main application, but especially in JavaScript dependencies.
Issues with including 3rd party JavaScript are of course nothing new either. Burp eg calls it Cross-domain script include, and OWASP warns about it as well. Including 3rd party scripts always requires complete trust in the 3rd party as well as trust in their security processes.
Why is formjacking the big deal
Good marketing on the part of Symantec?
edited 29 mins ago
aloisdg
1033
answered 5 hours ago
timtim
23.4k66397
The Symantec article you are referring to is like this one.
Looking at the graphic:
Point 1 is what is generally the most interesting to security researchers, because that is where the vulnerability is.
Points 2 and 3 just show what might be possible with such a vulnerability. For example, JavaScript can be used in phishing attacks (show a fake form) or to read out any data the user enters into forms. This is what Symantec calls formjacking, but it's of course nothing new.
Their article also has a section "How are websites being compromised?", which will likely interest you.
Vulnerabilities do indeed include the option to change server-side code, though not necessarily of the main application, but especially in JavaScript dependencies.
Issues with including 3rd party JavaScript are of course nothing new either. Burp eg calls it Cross-domain script include, and OWASP warns about it as well. Including 3rd party scripts always requires complete trust in the 3rd party as well as trust in their security processes.
Why is formjacking the big deal
Good marketing on the part of Symantec?
edited 29 mins ago
aloisdg
1033
answered 5 hours ago
timtim
23.4k66397
edited 29 mins ago
aloisdg
1033
edited 29 mins ago
aloisdg
1033
edited 29 mins ago
aloisdg
1033
1033
answered 5 hours ago
timtim
23.4k66397
answered 5 hours ago
timtim
23.4k66397
answered 5 hours ago
timtim
23.4k66397
23.4k66397
add a comment |
add a comment |
I agree. Formjacking is not a vulnerability, but a type of attack, that can be executed if the attacker already has write-access to the webroot of the victim, or on the webroot of another site, that has full trust of the victim.
Therefore, Formjacking might also be an issue, if the victims webroot is safe, but they dynamically include third-party code or just try to serve ads, which also frequently leads to malformed trust relation ships.
Formjacking is interesting, as the victim of the attack is the customer of the company, the attacker is targeting and groups like Magecart have already earned quite some money with it.
answered 5 hours ago
Euphrasius von der HummelwieseEuphrasius von der Hummelwiese
28913
add a comment |
I agree. Formjacking is not a vulnerability, but a type of attack, that can be executed if the attacker already has write-access to the webroot of the victim, or on the webroot of another site, that has full trust of the victim.
Therefore, Formjacking might also be an issue, if the victims webroot is safe, but they dynamically include third-party code or just try to serve ads, which also frequently leads to malformed trust relation ships.
Formjacking is interesting, as the victim of the attack is the customer of the company, the attacker is targeting and groups like Magecart have already earned quite some money with it.
answered 5 hours ago
Euphrasius von der HummelwieseEuphrasius von der Hummelwiese
28913
add a comment |
I agree. Formjacking is not a vulnerability, but a type of attack, that can be executed if the attacker already has write-access to the webroot of the victim, or on the webroot of another site, that has full trust of the victim.
Therefore, Formjacking might also be an issue, if the victims webroot is safe, but they dynamically include third-party code or just try to serve ads, which also frequently leads to malformed trust relation ships.
Formjacking is interesting, as the victim of the attack is the customer of the company, the attacker is targeting and groups like Magecart have already earned quite some money with it.
answered 5 hours ago
Euphrasius von der HummelwieseEuphrasius von der Hummelwiese
28913
I agree. Formjacking is not a vulnerability, but a type of attack, that can be executed if the attacker already has write-access to the webroot of the victim, or on the webroot of another site, that has full trust of the victim.
Therefore, Formjacking might also be an issue, if the victims webroot is safe, but they dynamically include third-party code or just try to serve ads, which also frequently leads to malformed trust relation ships.
Formjacking is interesting, as the victim of the attack is the customer of the company, the attacker is targeting and groups like Magecart have already earned quite some money with it.
answered 5 hours ago
Euphrasius von der HummelwieseEuphrasius von der Hummelwiese
28913
answered 5 hours ago
Euphrasius von der HummelwieseEuphrasius von der Hummelwiese
28913
answered 5 hours ago
Euphrasius von der HummelwieseEuphrasius von der Hummelwiese
28913
answered 5 hours ago
Euphrasius von der HummelwieseEuphrasius von der Hummelwiese
28913
28913
add a comment |
add a comment |
11684 is a new contributor. Be nice, and check out our Code of Conduct.
11684 is a new contributor. Be nice, and check out our Code of Conduct.
11684 is a new contributor. Be nice, and check out our Code of Conduct.
11684 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203987%2fwhat-is-formjacking%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
