Let's talk about BEING HACKED! Or, specifically, how this stuff seems to happen.
Firstly, let's define what sort of hack I'm talking about /1
Firstly, let's define what sort of hack I'm talking about /1
I'm talking about MAGECART! Or, more generally, credit card skimming:
computerworlduk.com/security/magec…
This works as follows:
1. Attacker compromises the site
2. Attacker injects JavaScript into the site
3. JavaScript listens for and send credit card details to attacker
/2
computerworlduk.com/security/magec…
This works as follows:
1. Attacker compromises the site
2. Attacker injects JavaScript into the site
3. JavaScript listens for and send credit card details to attacker
/2
So, HOW DOES THIS HAPPEN?!
Well, it seems to happen one of two ways:
1. The server gets owned, or
2. The administrative control panel of the application (such as Magento) gets owned
From there, JS insertion is trivial. /3
Well, it seems to happen one of two ways:
1. The server gets owned, or
2. The administrative control panel of the application (such as Magento) gets owned
From there, JS insertion is trivial. /3
Now, ONTO THE PROBLEM!
We, as systems administrators, have little / no visibility* to what happens within the browser. So,
1. We get hacked, and,
2. We don't know about it.
So, these hacks can persist for months!
/4
*except this changed recently
We, as systems administrators, have little / no visibility* to what happens within the browser. So,
1. We get hacked, and,
2. We don't know about it.
So, these hacks can persist for months!
/4
*except this changed recently
HOWEVER! Recently this changed. WE CAN TELL THE BROWSER WHATS ACCEPTABLE! We do this by defining a "policy" for the website to follow.
This is called "Content Security Policy" or CSP
/5
This is called "Content Security Policy" or CSP
/5
CSP allows us to define a bunch of things that our website should do, like:
1. Only accept JavaScript from one domain (default-src, script-src)
2. Only allow in-page connections to a specific set of domains (connect-src)
/6
1. Only accept JavaScript from one domain (default-src, script-src)
2. Only allow in-page connections to a specific set of domains (connect-src)
/6
CSP will prevent the website doing things that we, as web administrators, say "nope this is bad don't do this". It'll even tell us when it's doing it! (via the report-uri)
THIS IS AMAZING! /7
THIS IS AMAZING! /7
SO LETS DO IT I hear you say!
Not so fast road runner
It turns out, this issue is more problematic than you'd imagine. /8
Not so fast road runner
It turns out, this issue is more problematic than you'd imagine. /8
The problem is, we use new magical JS for *all sorts of things*. Some of my least favourites include:
- Hotjar
- Optimizely
- Email marketing
And other such marketing pieces.
These provide super valuable pieces of data to users who are helping design a website. /9
- Hotjar
- Optimizely
- Email marketing
And other such marketing pieces.
These provide super valuable pieces of data to users who are helping design a website. /9
So, practically, we're in a situation where we're adding and removing random bits of JavaScript anyways?!
How do you know if you do this? If you've got Google Tag Manager, you do this.
This means that if we deploy CSP we'll break all of this tracking stuff. /10
How do you know if you do this? If you've got Google Tag Manager, you do this.
This means that if we deploy CSP we'll break all of this tracking stuff. /10
SO, PRACTICAL SOLUTIONS!
CSP allows a "report-only" function, where it doesn't *block* stuff, it just allows you to check if you've got things running on your website you don't know about.
This is simple and safe to deploy. /11
CSP allows a "report-only" function, where it doesn't *block* stuff, it just allows you to check if you've got things running on your website you don't know about.
This is simple and safe to deploy. /11
Fixing your software delivery! GTM is a bad solution to the problem of needing to make client side changes to a site quickly.
It's a sign that it's too damned hard to get new JS deployed on a site. So, make that easier, or explain why it shouldn't be as easy as GTM.
/12
It's a sign that it's too damned hard to get new JS deployed on a site. So, make that easier, or explain why it shouldn't be as easy as GTM.
/12
In summary,
1. Things get hacked all the time, but
2. There's ways to quickly mitigate, detect and resolve these hacks, except
3. They rely on you having your fundamentals sorted out.
Deploy CSP (at least in report-only)
13/13 🎤👇
1. Things get hacked all the time, but
2. There's ways to quickly mitigate, detect and resolve these hacks, except
3. They rely on you having your fundamentals sorted out.
Deploy CSP (at least in report-only)
13/13 🎤👇
