Home / Use Cases / Application Security / Web Applications

Client-side Protection

Fortra Managed WAF protects users from browser-based, data-stealing attacks

In today’s evolving threat environment, safeguarding your attack surface extends well beyond your own web apps and APIs. Comprehensive web app and API protection now needs to encompass every environment you and your users interact with.

Gone are the days of only protecting the server-side of your environment. Now, it’s critical to implement client-side protection controls that eliminate reflected and inline cross-site scripting (XSS) attacks.

With Fortra Managed WAF, you’re protected where you’re interacting with your customers, practically eliminating XSS.

Fortra Manged WAF

Client-side Protection Controls

  • Eliminates both reflected and inline (stored) cross-site scripting (XSS) attacks. Since inline attacks are where most XSS attacks occur, Fortra Managed WAF drastically reduces this risk.
  • Identifies all inline, first- and third-party scripts, giving app owners a clear understanding of their attack surface scope, including authorization and enforcement controls.
  • Leverages modern browser security features to either alert or automatically block unauthorized or modified scripts from executing. This feature gives organizations comprehensive control of their web supply chain attack surface.
  • Addresses a critical gap found in other industry WAFs by comprehensively enforcing inline script integrity, a vital delivery mechanism utilized by most websites.
  • Runs only approved and untampered scripts; unapproved, modified or malicious scripts will not run.
  • Meets WAF requirements in compliance standards, including PCI DSS 4.0, to protect users’ payment information from data-stealing, in-browser attacks.
  • Utilizes page script protection to support both inline and external scripts. Unlike many other solutions on the market, there is no need to rewrite an application to convert all inline scripts to external scripts.
  • Includes client-side protection as an integrated feature. Most other solutions charge extra and provide client-side protection as an external module.
  • Fully managed service to assist with tuning of Content Security Policies and JavaScript inventories. Client-side webpage content management is now mandatory. Without fully managed service, a PCI merchant is one staff turnover away from non-compliance.
  • Provides managed services from Fortra itself (not a third-party partner). Our managed services team works hand-in-hand with the development team to deliver best-in-class solutions to our customers.

Meeting New WAF Requirements in PCI DSS 4.0

On March 31, 2024, PCI DSS 4.0 became the active version of this 20-year-old compliance standard. Most new requirements are identified as best practices until March 31, 2025, when they will become mandatory. Within these new requirements are several related to client-side protection and WAFs, with this protection being more strategic in proactively protecting sensitive data.

With the new PCI requirements, the intent is to reduce the attack surface as much as possible. There are two aspects to the client-side protection:

  • For page scripts (JavaScript), PCI Requirement 6.4.3 requires the PCI merchant to explicitly authorize scripts to execute on a client browser, as well as assure the integrity of all scripts and maintain an inventory of scripts. With Fortra Managed WAF, you’ll have a web application firewall that meets all of the aforementioned PCI requirements, effectively eliminating both reflected and inline cross-site scripting attacks.
  • PCI Requirement 11.6.1 mandates that PCI merchants maintain a temper-detection mechanism for the content of payment pages. Fortra Managed WAF not only monitors content for changes and tempering, but it can also actively stops tampered, unknown, or unauthorized scripts from running. This goes beyond the new PCI Requirement 11.6.1 and outperforms other WAF solutions that just alert you to content changes.

By blocking malicious scripts and content aimed at stealing payment card data and web skimming attacks like Magecart, Fortra Managed WAF provides stronger security and automatic compliance.

How Fortra Managed WAF Meets & Exceeds PCI DSS 4.0 Requirements

PCI Requirement
Minimum Requirement
Fortra Managed WAF
6.4.1, 6.4.2
  • Deploy a WAF
  • Vulnerability management
  • Enterprise grade features
  • Emerging threat coverage
  • Virtual patching
  • Expert optimized protections
6.4.3
  • A method to confirm each script is authorized
  • A method to assure the integrity of each script
  • An inventory of all scripts with written justification as to why each is necessary
  • Automated inventory of scripts
  • Approved mechanism
  • Unapproved scripts will not run
11.6.1

A change and tamper detection mechanism is deployed to:

  • Alert on unauthorized changes
  • Detect changes at least every 7 days
  • Real-time analysis of every payment page sent to client
  • Unauthorized changes are blocked from executing

 

“While it’s hard to put a price tag on it, it’s really priceless to sleep well at night, knowing that there is somebody watching over our environment.”
Cheng Zhou

Director of Site Reliability Engineering, Iodine Software

“People really trust the Alert Logic WAF, that it’s doing its job properly and not just blocking stuff for the sake of it, which is what we got with previous solutions.”
Alert Logic customer (anonymous)

Technology Services Firm

What is a Magecart attack?

In simplest terms, it is a class of web skimmer attacks that led to historic breaches at British Airways (BA), Ticketmaster, Newegg, and many other merchants. Threat actors compromised online merchants’ websites and installed software skimmers. When users accessed these platforms via their browsers and mobile apps, they unwittingly execute the software skimmer code and forward their credit card information to threat actors’ drop servers. In BA’s case, more than 500,000 customers users ’ credit and debit card details were stolen. BA was fined $229 million for security weakness as identified under GDPR.

A WAF with client-side protection would have detected the script changes and prevented the browser from executing the compromised script, effectively stopping the attack before it happens.

Ready to advance your web app and API security with Fortra Managed WAF?

Additional Resources

Blog

Client-Side Risks Under PCI DSS 4.0: What You Need to Know

Blog

PCI DSS 4.0: Understanding the Expanded Role of Web Application Firewalls

Press Release

New Vital Controls to Achieve PCI DSS 4.0 Compliance Now Available in Fortra Managed WAF