JavaScript Threats

Product Description

JavaScript Threats protects customer trust in online interactions by monitoring an organization's critical web applications for malicious JavaScript attacks, such as Magecart, intent on stealing site users' sensitive information. 

Organizations are increasingly moving core business transactions and functions online, making third party JavaScript within high priority web assets, such as payment pages or personal data entry forms, into a major security risk but nearly unavoidable business practice. Because of this, malicious JavaScript injection is on the rise as a tactic for cyber-criminals, resulting in an on-going series of extremely high profile data breaches impacting hundreds of thousands of customers, and costing hundreds of millions of dollars in fines, and lost customer business and trust for major companies across industries such as Retail, Professional Services, Finance, and Manufacturing. 

JavaScript Threats leverages RiskIQ’s Internet intelligence datasets and proprietary virtual user crawling technology to provide unique visibility into which third-party resources are in-use across an organization's web assets, how those resources change when rendered in a browser and served to a client, and near real-time monitoring and alerting for newly added or changed resources that are malicious, suspicious, or SRI (sub-resource integrity) violations, thereby enabling the to detect JavaScript attacks and preserve the integrity of customers' interactions with their web assets.

JavaScript Threats is available for purchase either as a stand-alone solution for a given set of covered asset hosts / pages to scan, or as an add-on fully integrated into the RiskIQ Digital Footprint product suite, which automatically discovers and maps an organization's entire online attack surface, providing a dynamically updated view into all the web infrastructure owned by an organization, and including where all web forms and logins can be found across the web asset inventory to potentially inform the selection of covered hosts for JavaScript attack monitoring.

Threat Detection

RiskIQ virtual users closely simulate human Internet users in the ways they interact with web content and capture everything that a human user sees as well as what the browser sees happening behind the scenes in order to provide a 360-degree record of any observed threat activity. For high value target sites, virtual users will visit a site as often as every couple hours. Whenever a virtual user crawl completes, RiskIQ analyzes the observed data for malicious or suspicious activity, noting all newly added or changed resources, as well as checking for any threat indicators based on either RiskIQ's proprietary malware research or third party blacklists in the site. 

Detection Policy-Types:

  • Malicious 
    • Observed malicious JavaScript injection (ex. Magecart)
    • Blacklist host reputation
  • Suspicious
    • Newly added or changed resource URL or content uses a bare IP address
    • Newly added or changed resource URL or content uses a non-standard /  new gTLD
    • Newly added or changed resource URL or content uses a newly registered / observed domain or hostname 
  • SRI
    • Newly added or changed resource hash does not match expected SRI hash

Full records of virtual user sessions, including screenshots, user agent metadata, the captured document object model of each page, and preserved sequence of links and redirects provide the technical basis of RiskIQ's detection capabilities, upon which layers of analytics are automatically applied in order to classify each threats and enrich data with additional insights to determine the appropriate response. 

Alerting & Threat Management Workflow

RiskIQ provides a web interface, email alerts, and API access to customers and their support teams to view and investigate events. Events are designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and investigation.

Users can take the following workflow actions via either UI or API: 

  • Confirm: Validate event as a true positive
  • Enforce: Note that action has already been taken to correct the problem
  • Review: Set aside for discussion/review to get feedback and decide on proper response
  • Dismiss: Label event as a false positive
  • Assign: Make a specific user the owner in charge of managing this event
  • Tag: Add a customizable label to an event for searching or reporting
  • Email: Send the details of an event to a specified email address (recipient need not have a RiskIQ user account)
  • Note: Annotate an event with additional context or details


RiskIQ provides live dashboards, CSV data exports, and an API and integrations with popular SIEM and other tools to extract and interact with our data. 


User Journeys

Certain pages, including those that might be critical targets for malicious javascript attacks, might be only be reachable to users by following a very specific set of clicks, for example, a checkout page containing a form to input credit card information that can only be accessed after placing an item into the site's shopping cart and proceeding to checkout. Such pages would not normally be accessed via virtual user crawls as crawls are programmed to be non-invasive and do not typically interact with forms or perform actions such as initiating a transaction. To ensure that hard-to-reach critical pages / pathways are covered for JavaScript Threats, RiskIQ offers configuration of "User Journeys" or customized guided crawl configuration and maintenance, where:

  • RiskIQ will configure crawl infrastructure to follow a specific website path, based on Customer and website specific information, such as dummy/sample customer login, adding products to the shopping cart and/or making a payment using Customer provided (test) credit card details;

  • RiskIQ crawlers will follow this path at least once per day;

  • RiskIQ will work with the Customer to define the specific details of the Journey; and

  • RiskIQ will make up to twelve (12) changes to the initial defined User Journey, based on changes to the website/path during the yearly Subscription Term.

It should be noted that each User Journey is custom configured, if the website or journey changes, the Customer will need to inform RiskIQ of all changes so RiskIQ can implement the same for crawls to continue.