Trusted by Security Teams

How Magecart Works

How Magecart attacks steal payment data

Magecart is a class of attack that targets payment pages directly in the browser. Attackers inject malicious JavaScript through compromised third-party scripts, skim card data as users type, and exfiltrate it without any server-side indicator.

Inject

Attackers compromise a third-party script — a tag manager, analytics library, or payment widget — and inject malicious JavaScript into your payment pages. Your servers never see it. Your WAF never inspects it.

Skim

The skimmer runs alongside your legitimate scripts and captures card data directly from the DOM as users type. The page looks and behaves normally. Nothing alerts the user or your server-side monitoring.

Exfiltrate

Stolen card data is sent to an attacker-controlled destination. Modern skimmers adapt their exfiltration paths when they detect CSP, serve clean code to crawlers, and persist for weeks or months before discovery.

The entire attack happens in the browser. PCI DSS 4.0.1 Requirements 6.4.3 and 11.6.1 were created specifically in response to Magecart-type attacks. See how Report URI meets those requirements →

What Report URI Does

How Report URI delivers Magecart protection

Four layers of browser-native detection and enforcement. No agents, no injected scripts, no code running on your behalf.

Script Watch

Detect the injection

Continuous monitoring of every script executing on your pages. The moment a new script loads, an existing one is modified, or an unauthorized dependency appears, you know about it. Identify unauthorized script changes before cardholder data is exposed.

Learn more about Script Watch →

Data Watch

Detect the exfiltration

Monitors where your pages are sending data. When a skimmer starts exfiltrating card data to an attacker-controlled destination, it shows up here. Catch data leaving your payment pages before it reaches attacker infrastructure.

Learn more about Data Watch →

Threat Intelligence

Match against known threats

Script Watch tells you something changed. Threat Intelligence tells you whether what changed is known to be malicious. Report URI monitors external and internally generated threat feeds, tracking hostile script sources and active skimming infrastructure. Detect known skimming infrastructure on your pages before a change becomes a breach.

Learn more about Threat Intelligence →

CSP Reporting + Enforcement

Stop it from running

Detection is the floor. CSP enforcement is the ceiling. Once you know what's authorized, you enforce it — blocking unauthorized scripts before they execute. Report URI turns your CSP from a passive header into an active enforcement layer, with a record of every violation your team can review. Move from detecting Magecart to preventing it.

Learn more about CSP Reporting →

The Gap in Existing Tools

Why your current security stack doesn't catch Magecart attacks

Magecart skimmers execute in the browser. Most security tools don't look there.

WAF

It never sees the skimmer

WAFs inspect traffic between the user and your server. A skimmer that runs in the browser and exfiltrates data directly to a third-party destination never crosses that boundary.

SIEM

There's no server-side event

SIEMs aggregate server-side logs. When the attack happens entirely in the browser, there is no server-side event to log.

Static Inventories

They're a snapshot, not live

Static script inventories record what was approved at a point in time. They don't reflect what's actually executing right now — or whether an approved script has been modified since the last review.

External Scanners

Skimmers hide from crawlers

External scanners crawl your site on a schedule. Sophisticated skimmers detect crawlers and serve clean code. The scanner sees a safe page. Your users see the skimmer.

Some client-side tools monitor your scripts by injecting their own code into your pages — adding a new third-party dependency, the exact category of risk Magecart exploits.

Report URI is browser-native. Nothing runs on your behalf, nothing to compromise, nothing between your users and your site.

See what's actually executing

No agent. No proxy. No deployment risk.

Live on your payment pages in minutes

Report URI is browser-native. It works through the Reporting API already built into modern browsers. You add a reporting endpoint to your existing CSP header.

HTTP response header

Content-Security-Policy: default-src 'self';
  report-uri https://your-subdomain.report-uri.com/r/d/csp/enforce

Most client-side security tools add a deployment project, a new dependency, and a new point of failure between your traffic and your users. We don't.

No agent to install

No traffic routed through a third party

No changes to your infrastructure

No impact on site performance

Site functions normally even if Report URI is unavailable

Get Started

Start seeing what's running on your payment pages

One header. No infrastructure changes. See everything before you enforce anything.

Start 30-Day Free Trial Talk to our team →

30-day free trial · One header · No infrastructure changes · PCI DSS 4.0.1 ready

What it covers. What it doesn't.

Magecart protection: what's covered

Report URI is a client-side security tool that monitors what's executing in the browser, detects script changes and unauthorized data exfiltration, and enforces what's allowed to run. That's what it's built to do.

Report URI covers	Doesn't replace
Script injection detection	Penetration testing
Data exfiltration monitoring	Secure code review
CSP enforcement and violation logging	WAF or edge security
Threat intelligence matching	Vulnerability remediation

Vendors who promise to do all of it usually inject their own code into your pages — another attack surface. Report URI doesn't. Nothing runs on your behalf, so nothing can break, slow down, or get compromised.

“Report URI has given us the capability to seamlessly build and roll out new Content Security Policies with a high level of confidence. The unopinionated and technology-agnostic nature of Report URI allowed us to integrate it directly and easily into our existing workflows, and to gain instant visibility into CSP reports. With Report URI's Script Watch product, we can meet our obligations under the new PCI DSS v4.0 requirements, in a way that meaningfully helps us monitor and assure the security of key components of the Paddle platform.”

Colin Barr, Head of InfoSec and IT · Paddle

Read case studies →

Magecart Protection for Your Payment Pages