Skip to main content
Application Security padlock icon

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Sep 18, 2019 — Application Security expert

Introducing A New Weapon in War Against Browser Data Exfiltration

Application Security

 

We’re proud to announce that our team has made valuable enhancements to our web application protection solution to combat data exfiltration from the rampant threat of browser-centric attacks.

We recently released major innovations for our Arxan for Web product that enhance protection against malicious browser extensions, banking trojans, malvertisements and other attacks that result in consumer data being exfiltrated directly from web apps to fraudulent web sites — all to be used in secondary, follow-on fraud or theft:

  • Arxan for Web now includes the industry’s first in-app firewall to ensure web applications running in the browser only connect to approved servers and API endpoints. One of the key data exfiltration techniques used in formjacking attacks, a common approach used by the Magecart threat groups, is to create a website to receive customer data from the browser without the customer’s or organization’s knowledge. Arxan’s in-app firewall prevents web applications from connecting to unauthorized servers, which would expose sensitive customer or financial data.
  • Additionally, a new domain lock feature detects if an app is running in the wrong domain, for example, inside an iFrame in a different web app in an attempt to trick an app or user into revealing sensitive data. Triggering the domain lock will engage automatic defensive measures and immediately alert the organization to the threat.

The Growing Threats

In order to adopt modern application architectures, organizations increasingly rely on APIs to drive innovation, speed of development, and provide new monetization opportunities. But, according to OWASP’s new API Security Top 10 2019 report, “By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this, APIs have increasingly become a target for attackers.1”  Exposing APIs and moving business logic to the client-side of applications, outside the protection of traditional network security, creates a massive new attack surface. This increases the risk for formjacking, DOM tampering, session abuse, overlay attacks, API abuse, and more.

Additionally, the threat of Magecart groups is alarming, particularly for organizations that rely on eCommerce revenue to drive business growth. According to Symantec, more than 4,800 websites are compromised by formjacking every month.2

Arxan for Web’s in-app firewall and domain lock feature protect against those threats.

Rusty Carter, our VP of Product Management at Arxan, explains, “Arxan for Web enables organizations to protect their web applications, web properties, and APIs against all three data exfiltration phases – reconnaissance, weaponization, and exploitation –  providing critical visibility into attacks targeting the client-side of the application and preventing harm to the organization. Where traditional Web Application Firewalls (WAFs) can only control and inspect traffic to the datacenter, Arxan protects applications from the endpoint to the server and back-end systems.”

To learn more about protecting APIs against web and mobile breaches, register for our webinar featuring special guest Forrester: http://bit.ly/APIprotectionwebinar


https://www.owasp.org/index.php/OWASP_API_Security_Project

https://www.symantec.com/blogs/feature-stories/istr-2019-cyber-skimming-payment-card-data-hits-big-time

 

More from the Blog

View more
Apr 29, 2021

Why better security means better products

Application Security
Over the past 15 years, businesses have learned a lot about the value ...
Read More
Jun 05, 2020

In Plain Sight II: On the Trail of Magecart

Application Security
On the surface, the breaches that impacted British Airways, Ticketmast ...
Read More
Jun 02, 2020

Here Comes CCPA

Application Security
  Ready Or Not, Here It Comes! As of publication, there are 147 ...
Read More
May 27, 2020

Application Security: Testing is NOT Enough

Application Security
In the software development world, developers are faced with a break ...
Read More
Contact Us