LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How did the British Airways breach demonstrate the danger of third-party JavaScript?

~380,000 cards were skimmed by 22 lines of malicious third-party JavaScript (2018) — a Content Security Policy and Subresource Integrity would have blocked it.

380,000 credit cards stolen with just 22 lines of injected JavaScript (2018).

Attack mechanism:

  • Malicious script captured payment form data on submission
  • Sent copies to attacker's server (baways.com — typosquat domain)
  • Used TLS encryption to blend in with legitimate traffic
  • Didn't disrupt checkout flow — users noticed nothing

Why it worked:

  • Website allowed external JavaScript execution
  • No Content Security Policy (CSP) to restrict script sources
  • No Subresource Integrity (SRI) to verify script contents
  • Payment data processed client-side before submission

Prevention:

  • Strict CSP headers limiting script sources
  • SRI hashes for all external scripts
  • Server-side payment processing (don't expose card data to client JS)

See: OWASP CSP Cheat Sheet

Go deeper:

From Quiz: SPRG / Secure Programming Introduction | Updated: Jul 05, 2026