Features Review: GoScript and Card Skimmers
Product / Posted August 17, 2021
GoScript is a custom scripting language that has been developed in-house by AppCheck penetration testers to model “user journeys” – multi-step flows through complex web applications – through modelling in an easy to grasp code a desired series of discrete steps or interactions used to navigate or manipulate a web application. These can include interactions including text entry, page navigation, mouse clicks and page element manipulation within the browser DOM (Domain Object Model). The syntax for GoScript has been designed to be simple, memorable, and easy to learn and use and does not require you to be a developer in order to make use of it.
Once written, GoScript can be attached to selected scan configurations within AppCheck, allowing customers to combine the power of automated scanning with a human-like understanding of how to step through complex user journeys and processes such as user registration flows or basket checkouts on e-commerce sites. This modelling of complex and multi-stage user journeys within the application enables the scanner to both access “deep” sections of a web application that could not otherwise be reached, as well as to manipulate complex forms or areas of the application which require specific contextual input and might otherwise be impossible for an automated scan to test.
GoScript is often used to provide guidance to the scanner on how to login via complex authentication systems such as Single Sign On (SSO) processes, thereby granting access to pages and areas of a web application that are screened behind authentication barriers and that otherwise may not be accessible for vulnerability testing.
GoScript can also be used to navigate complex flows involving multiple stages, forms, or screens, navigating them as a user would. One example of this is the shopping cart journey in ecommerce application which can be modelled, to include all stages and options available in the payment flow to ensure good coverage by the security testing plugins.
For more information please see:
Criminals often look to obtain payment card details belonging to other people since these can be used for financial gain, either by using the card details directly for purchases or by selling the card details to another party, often in bulk.
A relatively common method of accomplishing this in the physical world is to discretely attach malicious devices known as card skimmers to hardware such as ATM machines or legitimately installed card readers in retail establishments. Victims unaware of the malicious devices will insert their card into the hardware reader (for example ATMs and PIN Entry Devices), and the malicious device can then intercept and read the payment card information from the chip or magnetic strip of the card as it passes through.
However, physical card skimmers have several disadvantages for an attacker, not least that they require the attacker to physically gain access to the target card reading device – once to install the malicious card skimmer, and typically a second time (if it is not for example wireless-enabled) to recover it and retrieve the stolen card information that it has captured. This increases the chances that they may be observed, challenged, and caught, and the attack cannot easily be scaled since every card reader must be compromised physically with a directly attached card skimmer device. For this reason, many criminals have instead switched to exploiting online payment portals via equivalent virtual as opposed to physical card skimming methods, to steal card information.
As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please get in contact with us: firstname.lastname@example.org
Get started with Appcheck
No software to download or install.
Contact us or call us 0113 887 8380