{
	"id": "258c1c52-90eb-4958-8682-813df533b1ae",
	"created_at": "2026-04-06T00:12:02.180165Z",
	"updated_at": "2026-04-10T13:13:06.301466Z",
	"deleted_at": null,
	"sha1_hash": "4d302f0337f30bae51a162132e1bde5aa82db975",
	"title": "CSP, the Right Solution for the Web-Skimming Pandemic?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 392711,
	"plain_text": "CSP, the Right Solution for the Web-Skimming Pandemic?\r\nBy Idan Cohen\r\nPublished: 2020-11-29 · Archived: 2026-04-05 19:09:02 UTC\r\nI’ve been asked a lot about Content Security Policy (CSP) as a possible solution for\r\nMagecart and other web-skimming attacks lately. Companies, mostly eCommerce\r\nsites, are actively looking for a way to handle this emerging threat. CSP, which is\r\nnot a costly solution, has become an integral part of many security-toolboxes.\r\nBut is it the solution you really need to fight Magecart?\r\nThe Third-Party App Challenge\r\nModern eCommerce websites and business platforms are using dozens of external third-party apps to enhance\r\ntheir user engagement, site performance and conversion metrics. Third-party applications for analytics, heat-maps,\r\nads, and chats are good examples.\r\nUnfortunately, it’s not a bed of roses. These external applications are loaded remotely and can create additional\r\nentry points for an attacker, which are not protected by any of the traditional security controls such as WAF or IPS.\r\nRisks can escalate fast, as the modern eCommerce business has to deal with cybercrime, supply-chain attacks,\r\nbreaches, financial damages, accountability, reputational damage, compliance, and safety audits.\r\nEspecially since the rise of the new Magecart threat. Magecart essentially involves hacking groups that specialize\r\nin gaining unauthorized access to websites and injecting malicious code into checkout pages. And how do they\r\ngain access? By exploiting third-party applications, a common phenomenon in the eCommerce space.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218\r\nPage 1 of 6\n\nMany Magecart attacks have been exposed in recent years. For example, over 10,000 online shoppers were\r\nattacked during September 2020, in what was identified as a zero-day Magento exploit (sold in the dark web\r\nmarkets). Almost 2,000 eCommerce websites (mainly checkout pages) were targeted with a payment-card\r\nskimmer.\r\nThis methodology is basically a malicious JavaScript (JS) code that detects sensitive user activity, such as typing\r\nof credit-card numbers, passwords or any kind of Personally Identifiable Information (PII). Shopping cart\r\ncheckouts are the most desired target due to the involvement of payment details and personal information.\r\nThese attacks are evolving at a rapid pace. It’s an armed battle between the evolving malicious attacks and\r\ndefenders trying to block them with tools like CSP.\r\nContent Security Policy (CSP)\r\nContent Security Policy (CSP) is a computer security standard introduced in 2004 to combat malicious activity\r\nsuch as cross-site scripting (XSS), clickjacking, and other client-side code injections resulting from the execution\r\nof malicious code in trusted webpages.\r\nPutting CSP into action requires the addition of a Content-Security-Policy HTTP header into the webpage and\r\nassigning the required values to fully control the resources end-users can load and the destinations they can go to.\r\nThese elements can be scripts, pictures, videos, forms and more. By doing so, it makes it harder to pull off\r\nMagecart attacks.\r\nIn theory, if the attacker wants to load a malicious script from www.malicious.com and the CSP has been\r\nconfigured not to load external resource scripts, the attack will be fully blocked. However, its required to write a\r\nwell planned policy to make CSP work effectively. These are a predetermined set of directives that determine what\r\nhttps://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218\r\nPage 2 of 6\n\nresources (fonts, images, multimedia and most importantly scripts) will be needed and used for a safe and secure\r\nbrowsing environment. Please visit Manisha Sangwan’s article for additional details.\r\nCSP has fought many online battles since its inception back in 2004, when it was referred to as Content\r\nRestriction. CSP was created to combat the very commonly executed XSS attacks. I won’t elaborate on XSS in\r\nthis article, but please check MRunal’s “What is Cross-Site Scripting” article to learn more.\r\nGet Idan Cohen’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nUnfortunately, due to the rise of these risks, CSP might not be the stand-alone solution everyone is looking for. As\r\nwe’ll see in the next section, Magecart and other web-skimming attacks are now gaining the upper hand.\r\nWhy is CSP Not Enough?\r\nFor starters, having a Content Security Policy is a good thing. If you have the resources to manage it, go for it.\r\nHowever, like any security solution, the results may vary. The best case scenario is that you may gain only partial\r\nMagecart protection, but with multiple shortcomings to deal with on a daily basis.\r\nThe Blacklist/Whitelist Approach\r\nThe first problem with CSP is that, by whitelisting a trusted domain or an app, you are whitelisting everything\r\ninside the domain, regardless of its actual behavior. That’s the main problem with the blacklist / whitelist\r\napproach. You are not approving the actions and data, you are just whitelisting everything.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218\r\nPage 3 of 6\n\nThis issue can create three different types of attack vectors:\r\n1. A third-party app breach won’t be blocked by CSP. This is because the site owner has already approved the\r\nthird-party domain. If the attacker can access the third-party domain, the CSP will let it run without any\r\ninterference. I agree that a good CSP directives might create additional effort for an attacker in order to\r\nextract the data outside to a second unauthorized domain, but the attack will still take place leaving the\r\nattacker with enough playground to bypass it and complete the attack, as demonstrated Bhavesh Thakur’s\r\narticle about CSP Bypass Techniques.\r\n2. Breach the on site servers. Most of the famous Magecart attacks targeted internal unsecured servers and\r\nscripts in the organization and injected malicious code there. It’s a common practice to allow scripts to be\r\nloaded from the website internal domains and bypass the entire idea of CSP. It’s almost impossible to\r\nmanage all the local scripts using CSP.\r\n3. Use a common global service to extract personal data. For example, this Hacker-One research by Aaron\r\nCostello shows that the Google Analytics API could be used to hack into eCommerce websites, and other\r\nonline businesses. As Google Analytics can collect any data defined in the control panel, the attackers can\r\njust inject their own “Google Analytics” scripts to the website. It will be whitelisted by CSP, and the data\r\nwill be leaked. Good luck with tracking all of the inputs being collected by dozens of third-parties using\r\nCSP.\r\nCSP: A High maintenance solution\r\nYou might be thinking now — “Well, if CSP won’t help it all, why bother?” Yes, even with CSP, attackers can still\r\nleak data from internal and external breaches, or just exploit some online service. But I’m not saying it won’t help.\r\nCSP is a strong solution that may help block attacks or make attackers work harder, which is a good thing! Do it.\r\nBut the second problem is maybe the trickier one.\r\nhttps://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218\r\nPage 4 of 6\n\nCSP is a high maintenance solution. As stated above, you need to define a whitelist and blacklist policy for the\r\nspecific domain or scripts. It requires hands-on management and maintenance to achieve satisfactory results.\r\nPress enter or click to view image in full size\r\nLet’s say you have 50 third-parties on a given website each uses several scripts and domains. Now what? You will\r\nfind yourself working hard to keep it all updated and running. Some companies might have the required resources\r\nfor it, but for most this is an overwhelming task. Either way, it will create a big headache, as every script change\r\nwill be blocked in production and secure your site, but the same may apply to important actions needed by the\r\ndigital or marketing team. If we go beyond, CSP can also hurt the website’s daily performance.\r\nAn average eCommerce website uses 50 to 60 third-party apps. Can security teams handle the risks each third-party creates continuously?\r\nFinal thoughts\r\nCSP is still an effective weapon, but it’s hard to recommend it as a stand-alone solution. It should ideally be\r\ncombined with additional measures, such as discovery tools, validation tests and strict script policy to ensure\r\nreasonable resource cost .\r\nhttps://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218\r\nPage 5 of 6\n\nAnother interesting solution that might work better than CSP against these kinds of attacks is Subresource\r\nIntegrity (SRI). It might be a better value-cost solution to battle Magecart, if done right. We will talk more about\r\nSRI in my next article. In the meanwhile, let’s keep websites safe!\r\nAbout me, I’m the CEO and co-founder of Reflectiz, a cybersecurity company. Reflectiz is the first website-sandbox solution that mitigates the risk of third-party apps.\r\nSource: https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218\r\nhttps://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218"
	],
	"report_names": [
		"csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434322,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d302f0337f30bae51a162132e1bde5aa82db975.pdf",
		"text": "https://archive.orkl.eu/4d302f0337f30bae51a162132e1bde5aa82db975.txt",
		"img": "https://archive.orkl.eu/4d302f0337f30bae51a162132e1bde5aa82db975.jpg"
	}
}