Frequently Asked Questions

What is Enchanted Security?

Enchanted Security is a virtual content security policy that secures your visitors' browsers while on your website. Adding Enchanted Security's JavaScript to your website protects your visitors against data exfiltration threats which could lead to loss of session tokens, passwords, credit card numbers, and other sensitive information.

How does Enchanted Security know which network requests to block?

The software uses a variety of signals to flag malicious network requests, including a block list of known malware, suspicious memory reads, and anomaly detection. Feature-based machine learning is planned as well. To prevent false positives, newly discovered suspicious events are first analyzed by an analyst-in-the-loop before being marked as malware. To block data exfiltration more quickly, malicious domain names and events matching known signatures can be blocked automatically without an analyst-in-the-loop review.

Why is this better than using a header-based content security policy (CSP)?

Header-based content security policies requires reworking much of your existing web app, and take companies up to a year to implement. Further, studies have shown that "99.34% of hosts with CSP use policies" are not implemented properly, and hence "offer no benefit against XSS".

Browser-based CSPs will only report on network requests that violate the CSP, but provide no insight into network requests that do not violate the CSP. Consequently, if the policy is too weak, the CSP won't allow you to audit the historical requests to see what happened and who was affected. You'd be blissfully unaware that you're missing requests you should be stopping.

Even when a CSP successfully blocks malicious data exfiltration, you still run the risk of violating PCI compliance or disclosing sensitive data in the clear, because the CSP violation report might include the extracted sensitive data (like a credit card number) as part of the request url.

By contrast, Enchanted Security can be applied in minutes, automagically blocks malicious network traffic in realtime, and provides complete auditability of all requests, not just those blocked. It uses filters to make sure that credit card numbers are never included in its reporting, so even when it blocks malware sending credit card numbers, you won't accidentally violate PCI compliance like you would with CSPs.

With that being said, if you already have a CSP, we recommend keeping it by using both CSP and Enchanted Security together.

How is a virtual content security policy different from web application firewalls (WAF)?

Web application firewalls protect your web application's servers from malicious requests, for example requests that may contain SQL injection or attempts at buffer overflows. Web application firewalls don't cover any code running in your users' browser. As virtually all websites today run complex JavaScript on the client, there's a need for client-side protection too.

How could malware get onto my website in the first place, if I control the code served by the website?

You may think that since you write the JavaScript that gets served with your website, there's no need for client-side protection. Unfortunately, there are a variety of attack vectors that are worth considering.

First, cross-site scripting (XSS), one of the OWASP top security vulnerabilities, can allow an attacker to inject JavaScript into unsecured websites. This could come from untrusted data in query parameters, cookies, or user-generated content.

Next, third-party libraries present another security risk. Not all the code served with your website is code written by your company. You likely have many dependencies, like jQuery, React, Bootstrap, or D3. These libraries themselves have many dependencies, as well. You likely also depend on third-party scripts like ads, Google Analytics, Mixpanel, or Optimizely, which themselves depend on many additional libraries. Finally, the CDNs and Github repos that host these libraries are themselves attack vectors.

Insider threats are yet another possibility. There have been cases of employees inserting malicious code into software, outside the company's normal code review controls.

Finally, users themselves use many browser plug-ins which run arbitrary JavaScript on your website. There have been cases where these browser plug-ins have been hacked to steal sensitive data. Even though it may not strictly be your fault, your company's security and reputation may be damaged if passwords or credit card numbers are stolen from users of your website.

What are some cases of companies hacked that you could've been prevented?

Yes, there are many. Here are a few selected cases showing the prevalence and impact of these attacks.

British Airways was fined over $200 million dollars due to credit card numbers stolen from its website due to Magecart. (Link)

Macy's reported customer credit card numbers were stolen directly off its website due to malware. (Link)

Ticketmaster says third party code is at fault for stolen credit card numbers from website. (Link)

Crypto startup discovers malware in third party library stealing secret keys, hacks itself to save user cryptocurrency. (Link)

Get in Contact

Thank you! We will be in touch shortly.