PolyFill Vulnerability is WILD

preview_player
Показать описание
Recorded live on twitch, GET IN

### Article
By: Sansec Forensics Team

### My Stream

### Best Way To Support Me
Become a backend engineer. Its my favorite site

This is also the best way to support me is to support yourself becoming a better backend engineer.

MY MAIN YT CHANNEL: Has well edited engineering videos

Discord

  1. ThePrimeTime
  2. programming
  3. software engineer
  4. software engineering
  5. developer
  6. web design
Рекомендации по теме
malicious javascript injected 0:12:28

malicious javascript injected into 100,000 websites

How to get 0:25:57

How to get polyfills with Babel 7 and Webpack

BigFix Briefing Room 0:22:31

BigFix Briefing Room - What's New in July 2024: Endpoint Management Insights

Malicious Needle in 0:18:20

Malicious Needle in a Haystack – PyPi Security Pitfalls | Eugene Rojavski

StrangerDanger: Finding Security 0:35:12

StrangerDanger: Finding Security Vulnerabilities Before They Find You! by Liran Tal

Episode #23: Bitdefender, 0:17:03

Episode #23: Bitdefender, Ghostpulse, & Docker APIUntitled

Less Writing, More 1:06:25

Less Writing, More Hacking - Reporting Efficiency Techniques (Ep.78)

BSidesSF 2022 - 0:53:06

BSidesSF 2022 - Achieving the Web Isolation Nirvana - How far ... (Pedro Fortuna • Jasvir Nagra)

#NahamCon2022 - Jason 1:26:55

#NahamCon2022 - Jason Haddix (@jhaddix): The Bug Hunter’s Methodology: Application Analysis v1

Katie Explains: Modern 0:54:47

Katie Explains: Modern Web Development (GIVEAWAY)

JSJ 357: Event-Stream 1:10:18

JSJ 357: Event-Stream & Package Vulnerabilities with Richard Feldman and Hillel Wayne

Zoom Doesn't Actually 1:02:37

Zoom Doesn't Actually Mute You, NSA Warns of SCADA Attacks, and More! - Weekly Security News

PragueJS 2024 #9 0:46:58

PragueJS 2024 #9 | Matheus Albuquerque | Speed @ Scale: Optimizing The Largest CX Platform Out There

Secure Open Source 0:31:45

Secure Open Source Dependencies with Semgrep Supply Chain Webinar

BSidesYXE 2024 - 0:42:00

BSidesYXE 2024 - Nicole Schwartz - Open Source Software is amazing and Risky.

Livestream: Data Deli: 0:57:09

Livestream: Data Deli: Metrics that Matter in Open Source

SIG Download: Episode 0:14:57

SIG Download: Episode 11: Amateur Intelligence: Threats of a Lowered Technical Barrier

Dev Chats - 1:01:43

Dev Chats - Protect your JavaScript app from malicious dependencies with Socket

OffensiveCon22 - Mark 0:51:55

OffensiveCon22 - Mark Brand and Sergei Glazunov - Data Only Sandbox Escapes

Fixing a WordPress 0:49:27

Fixing a WordPress Plugin Bug 🐛 with Unit Testing

MACA 2016 presentations 0:24:50

MACA 2016 presentations - Julian Sprung

Nordic.js 2022 • 0:29:55

Nordic.js 2022 • Feross Aboukhadijeh - What's Really Going on Inside Your Node_Modules Folder

Kyle Simpson - 0:57:44

Kyle Simpson - Keep Betting On JavaScript

4 13 22 0:47:21

4 13 22 Brim Network Analysis & Introduction to Zero Trust Security (Repost)

Комментарии
Автор

I'm always shocked that stuff like this isn't wayyy more common with how much of modern software is full of 100s of thousands of lines of code that the software provider didn't even write or likely read.

PledgeBass
Автор

Back in the day it was Windows users downloading random executables from the Internet, infecting their PC with malware. Now it's web developers doing the same thing but with other people's machines.

orbik_fin
Автор

Prime: I only have node_modules in one thing...
...
Prime: Dude, I have clerk? 7:22
Prime: How did I download "The Internet" by having a "types" package!?

Software Engineering in 2024, step One: Download The Internet

DArea
Автор

Prime - “I am baffled, I am shocked that I have never thought about this type of attack.”
The entire security industry - *openly weeps into their 6th finger of bourbon*

diReLoCke
Автор

I have demanded for over 15 years, that no external resources are linked to any of our sites. I have waited for exactly this kind of an attack, or DNS spoofing attack that could cause the same but not at this scale.

Also when you link an external js or css, you are using someone else's resources instead your own and it isn't right and sometimes not even reliable. Too much traffic and the proveder could stop usage depending of the referer of the request.

pukkimi
Автор

"We don't want to hire an entry-level developer unless the developer has 5 years of experience". It's an interesting vector. You can get that experience

JoeStuffzAlt
Автор

hahahhahaha I break on that part "I have only types definnition, how the hell I downloaded the whole Internet" hahahahhahaah

gkiokan
Автор

I still remember when the worst we had to worry about was the color.js dude throwing a fit because he wanted to get paid for making a library all the big tech companies used. Now we've got to worry that disgruntled developers aren't giving control up to foreign intelligence services on a multi-year OP, or just straight up selling it to the highest bidder.

Cafuzzler
Автор

I'm working on an embedded product to be used in an industrial setting. They want a basic web based interface. Some of the young engineers wanted to use node + CDNs + all the modern web magic. But I'm old-fashioned and don't trust stuff that's either too large or dynamically downloaded, so used minified versions of the libraries I needed (bootstrap and jquery), and wrote the server side CGI in bash scripts. It all turned out to be shockingly simple to do, and completely side-steps the risk shown in this video.

carljacobs
Автор

NEVER go to production with code that pulls from a CDN you don't control.

Tony-dprl
Автор

12:18 you can use the integrity attribute with a hash on your script tags to ensure that no-one can change the code under you. pairing that with some good CSP headers will go a long way to protecting your website against various kinds of script injection

asdfghyter
Автор

Having tons of dependencies of unaudited code has been known security risk all time. I do have in my projects dependencies but almost all of them I have someone curating them, or they are well funded (like React) rest of the dependencies I do check the code or fork.

I generally avoid dependencies.

gruntaxeman
Автор

FunNull that's some impressive naming right there 😂

hilmar
Автор

If I have a nickel for every times a Chinese developer injects their backdoor into open-source projects, I would have five.
Which isn't a lot but it's really weird if you think about it.

FaultyTwo
Автор

What do you mean "this could totally just happen!"? The more difficult version of it already happened with SSH login failure, so ofcourse this to can happen.

johanlarsson
Автор

Use checksums to prevent any upstream modifications and setup CSP to load only what you „own“.

theaifam
Автор

There is a kind of metaphor or analogy in security here, to "Progressive Enhancement" in frontend:
Teams want no dependencies that add security work.
Better to not use the thing that demands more security work unless you have to.
Solving the problems with larger vendor dependencies or the only the biggest open source dependencies.
But then how can things grow to become big in the first place?

cyberneticbutterfly
Автор

Prime not fully appreciating the github auctions joke 😭

federicoreina
Автор

There are two things that (among others) you can do as a maintainer of a website to prevent this kind of attack from working: Using Subresource Integrity (SRI) and defining a Content Security Policy (CSP) either in html or in the http header. Sadly most websites don't use these features and browsers don't require these features to be used. I wish by default scripts wouldn't be loaded until the browser can verify its integrity and external resources wouldn't be loaded until they are defined in the CSP, but sadly this would break the entire web.

snrd
Автор

This has been a spam / malware vector for ages. Its what happened to multiple browser addons as well.

ikiris