Client-Side Website Attacks | Ensighten | CHEQ

Detect and Prevent Client-Side Website Attacks

Protect against existing and emerging cyberattack methods

What are client-side attacks?

Websites and web apps are exceptionally rich and immersive, providing users with incredible amounts of functionality. There are two main components to a website or app – server and client. The server side stores code and data and processes operations and requests. The client side is where the web app comes together and is rendered within a browser.

Traditionally, hackers have targeted the server side, employing methods designed to break in and steal assets stored there. Over time, however, organizations have leveraged origin-focused security products to safeguard data and assets. Hackers innovate and continuously move to exploit the point of least resistance. They have turned their attention to a different target: the application or web browser that runs on the endpoint or client. Hackers are exploiting client-side weaknesses to break into the customer journey and continue to siphon assets and data.

Read our 15-minute guide to client-side online skimming protection

How a client-side online skimming attack happens

For a client-side skimming attack to be successful, hackers will  inject malware into your site. However,  they can  also  target one of your third-party  vendors. These are  often outside of your control and an attacker  does  not need to infiltrate  your servers  to perform a successful exploit. 

The browser is the client

Approximately 50 percent of the world’s Internet traffic is delivered through a web browser. When a user is accessing a website, they will often use a web browser on a computer or smart device. In most instances, website code written by developers is delivered from servers down to the client. The browser interprets and runs this code to deliver the experience when the user accesses the website. When visiting a website, you see text, pictures and videos and have the ability to create accounts, browse catalogs, customize products, make purchases and more. Much of the website functionality relies on browser capabilities.

JavaScript is the browser

JavaScript is the de facto client-side programming language, used by 97 percent of websites and web applications worldwide. When development teams build websites, they certainly originate their own JavaScript code (first party). In addition, they also tap into other code sources (third party) to accelerate innovation, including open source (e.g., jQuery, AngularJS, React) and third-party technologies that include JavaScript components (e.g., WordPress, Drupal, Magento). For example, if a business wants to add a chatbot to its site or a shopping checkout page, instead of writing the thousands of lines of code themselves, they will use existing libraries, often open-source libraries, to deliver the functionality.

While use of JavaScript brings immense website and web app benefits, it also introduces substantial and often overlooked or misunderstood risks.

JavaScript is powerful and risky

JavaScript can implement complex features on a web page, including manipulating page elements and reading entered data. When a browser accesses a website, it downloads all of the code and content from the remote servers, both the site owner’s servers (within your control) and any third-party libraries used (outside of your control). After downloading all code and content, the browser presents the website to the user. If an attacker can hide malicious code in any of the downloaded resources, first or third party, the browser will process and run it. For this reason, security and compliance stakeholders take special care to inspect and validate JavaScript code before moving it into production. Still, this approach falls far short of preventing client-side attacks. A major risk is that JavaScript comes from multiple external sources and can change at any time without developers knowing.

“There is usually no guarantee that the code hosted at the third party will remain the same as seen from the developers and testers: new features may be pushed in the third-party code at any time, thus potentially breaking the interface or data flows and exposing the availability of your application to its users/customers.”


Common types of client-side attacks


The hacker group Magecart made its name after finding vulnerabilities in the Magento component used by thousands of online stores. By inserting malicious code into the library, the code cascaded throughout Magento-powered websites, siphoning payment data when users visited online stores and entered credit card data. Today, this technique is used across all industries to target vulnerable third-party technologies.


More than 5,000 unique sites are compromised with malicious formjacking code every month according to a research. Formjacking attacks occur when cybercriminals find web pages which include payment and data collection forms and then insert malicious JavaScript code. The code is designed to take over the functionality of the web page and forms to siphon sensitive data to send to malicious sources.

Web skimming

Web skimming is one of the most prominent client-side attacks. A 2021 analysis by Ensighten suggests that 80-90 percent of organizations across industries are susceptible to a web skimming. Web skimming is an attack that specifically targets organizations with the goal of stealing personal and financial data. Web skimming is behind the theft of hundreds of thousands of payment and PII data records.

CSS injection

Cascading Style Sheets (CSS) is used by 96 percent of websites and simplifies adding style (fonts, colors etc) to web pages. Similar to JavaScript, CSS can access the entire web page. CSS injection happens when a hacker places their CSS code into the CSS context of a site. The injected code tricks the page into sending data to remote servers. Hackers can also control the look of a page, impacting online experience.