Slides on Subresource Integrity from the SecTalks Sydney meetup
Tag: javascript
Compromising US Banks with Third-party Code
Online banking services of major banks in the US can potentially be compromised through third-party services. Banks are including JavaScript code from external sources controlled by someone else. This practice opens up the possibility of stealing online banking passwords, diverting payments or draining bank accounts.
Scanning Websites for SRI Hash Usage with sritest.io
Third-party hosted website assets, such as JavaScript libraries, are vulnerable to tampering. However, a new technique named Subresource Integrity (SRI) is here to protect these external assets.
One problem is the slow implementation of SRI, thus sritest.io was born. The new service enables website owners and frontend developers to evaluate their sites for SRI hash usage. Sritest.io aims to help the widespread implementation of SRI, thus, ultimately protect website visitors from malicious code.
Malware Injecting Torrent Mirrors
While ISPs in the UK and other countries are blocking file sharing websites such as The Pirate Bay, movie-lovers have different alternatives to circumvent these restrictions. One popular way to overcome the filtering is using mirrors.
Torrent mirrors are essentially reverse proxies, which are forwarding HTTP traffic between the UK and the original sites hosted elsewhere. Data supposed be left intact and the only difference should be the address in the URL bar.
This experiment proves however that 99.7% of the tested BitTorrent mirrors are injecting additional JavaScript into the web browsing traffic. A great share of these scripts serve content with malicious intent such as malware and click-fraud.
WordpreXSS Exploitation
There are many misconceptions around the potential effects cross-site scripting (XSS). The usual pop-up alert(1) window is failing to demonstrate the potential consequences of XSS to non-security people. See a walk-through process of exfiltrating data from a Wordpress site by exploiting a XSS vulnerability.