1 00:00:12,719 --> 00:00:17,520 welcome back everyone we hope you had a 2 00:00:14,799 --> 00:00:19,680 great lunch and 3 00:00:17,520 --> 00:00:23,359 got a nap in for some of you for joining 4 00:00:19,680 --> 00:00:26,960 from the more fun time zone crossovers 5 00:00:23,359 --> 00:00:29,279 uh we are joined now by lily uh lily is 6 00:00:26,960 --> 00:00:31,840 a penetration tester digital security 7 00:00:29,279 --> 00:00:34,480 consultant and public speaker who serves 8 00:00:31,840 --> 00:00:36,399 on the board of digital rights watch 9 00:00:34,480 --> 00:00:38,960 lilly specializes in web application 10 00:00:36,399 --> 00:00:41,520 security privacy education and the 11 00:00:38,960 --> 00:00:42,719 history of technology related issues 12 00:00:41,520 --> 00:00:44,559 bringing these topics to an 13 00:00:42,719 --> 00:00:46,960 international audience 14 00:00:44,559 --> 00:00:49,039 she believes in the power of consumer 15 00:00:46,960 --> 00:00:51,280 and tech worker action to help the 16 00:00:49,039 --> 00:00:53,120 technology industry better serve the 17 00:00:51,280 --> 00:00:55,360 people it affects 18 00:00:53,120 --> 00:00:57,280 take it away lily 19 00:00:55,360 --> 00:00:59,359 thank you 20 00:00:57,280 --> 00:01:02,079 and hey everyone i hope you are all 21 00:00:59,359 --> 00:01:04,320 doing well on this fine blurs day thank 22 00:01:02,079 --> 00:01:07,600 you for being here with me 23 00:01:04,320 --> 00:01:09,360 i'm lily i'm a historian and a hacker 24 00:01:07,600 --> 00:01:11,439 and i'm currently a security specialist 25 00:01:09,360 --> 00:01:12,720 at thoughtworks you can follow me on 26 00:01:11,439 --> 00:01:14,560 twitter if you like retweets about 27 00:01:12,720 --> 00:01:17,360 poison or you can email me if that's 28 00:01:14,560 --> 00:01:18,799 more your speed and yeah for the next 20 29 00:01:17,360 --> 00:01:21,840 odd minutes we're going to talk about 30 00:01:18,799 --> 00:01:23,759 javascript and vampires 31 00:01:21,840 --> 00:01:26,640 what's my deal with vampires i hear you 32 00:01:23,759 --> 00:01:29,280 ask vampires are notoriously unable to 33 00:01:26,640 --> 00:01:30,880 enter a house unless they're invited in 34 00:01:29,280 --> 00:01:32,720 and despite your best intentions and 35 00:01:30,880 --> 00:01:34,720 while you might have been told never to 36 00:01:32,720 --> 00:01:36,720 let a vampire in there are plenty of 37 00:01:34,720 --> 00:01:39,200 tricks that vampires can use in order to 38 00:01:36,720 --> 00:01:42,399 let you get them to let it get you to 39 00:01:39,200 --> 00:01:44,799 let them in so disguises please cunning 40 00:01:42,399 --> 00:01:46,799 ploys and when they're in they generally 41 00:01:44,799 --> 00:01:49,280 want to drink your blood which may or 42 00:01:46,799 --> 00:01:50,880 may not be a thing you actually want 43 00:01:49,280 --> 00:01:52,159 in the same way you may sometimes find 44 00:01:50,880 --> 00:01:54,159 that the web application that you've 45 00:01:52,159 --> 00:01:55,840 been building is serving javascript to 46 00:01:54,159 --> 00:01:56,799 your users that you didn't intend to be 47 00:01:55,840 --> 00:01:58,799 there 48 00:01:56,799 --> 00:02:00,560 and what that unexpected code does could 49 00:01:58,799 --> 00:02:02,320 be good or bad 50 00:02:00,560 --> 00:02:04,479 there's plenty of good javascript and 51 00:02:02,320 --> 00:02:06,719 plenty of good vampires 52 00:02:04,479 --> 00:02:08,959 friendly vampires will hang out around 53 00:02:06,719 --> 00:02:11,440 the house and uh 54 00:02:08,959 --> 00:02:13,040 you know do your laundry do your dishes 55 00:02:11,440 --> 00:02:15,280 do the cleaning at night 56 00:02:13,040 --> 00:02:16,959 while everybody else is asleep 57 00:02:15,280 --> 00:02:18,400 friendly javascript is all the stuff 58 00:02:16,959 --> 00:02:20,239 that makes your site work the way that 59 00:02:18,400 --> 00:02:22,000 you want it to it makes your page look 60 00:02:20,239 --> 00:02:24,319 nice allows you to build games inside 61 00:02:22,000 --> 00:02:27,840 your app or see how popular your latest 62 00:02:24,319 --> 00:02:30,080 post is let you chat with other people 63 00:02:27,840 --> 00:02:32,080 but there's also evil javascript and 64 00:02:30,080 --> 00:02:33,680 there are certainly evil vampires in 65 00:02:32,080 --> 00:02:35,440 this case when you find one of these 66 00:02:33,680 --> 00:02:37,920 things inside without warning they can 67 00:02:35,440 --> 00:02:39,440 drain your blood your money your user 68 00:02:37,920 --> 00:02:41,360 base 69 00:02:39,440 --> 00:02:43,280 your processing power sometimes your 70 00:02:41,360 --> 00:02:46,640 entire life 71 00:02:43,280 --> 00:02:48,239 just so we're clear what's at stake here 72 00:02:46,640 --> 00:02:49,680 needless to say most of us want to 73 00:02:48,239 --> 00:02:53,680 ensure that we're only letting in the 74 00:02:49,680 --> 00:02:55,599 good ones and keeping the evil ones away 75 00:02:53,680 --> 00:02:57,680 most javascript will end up being served 76 00:02:55,599 --> 00:02:59,920 from your app in one of three ways it'll 77 00:02:57,680 --> 00:03:02,080 be embedded in the html call from 78 00:02:59,920 --> 00:03:03,680 another file that you're also serving or 79 00:03:02,080 --> 00:03:05,440 called from another file that someone 80 00:03:03,680 --> 00:03:07,200 else is serving 81 00:03:05,440 --> 00:03:08,800 in the security advocacy world we spend 82 00:03:07,200 --> 00:03:10,720 a lot of time educating folks about the 83 00:03:08,800 --> 00:03:12,080 pitfalls of third-party js libraries 84 00:03:10,720 --> 00:03:14,080 that you might be bundling up and 85 00:03:12,080 --> 00:03:15,920 serving yourselves and about how to 86 00:03:14,080 --> 00:03:18,080 sanitize input to prevent cross-site 87 00:03:15,920 --> 00:03:19,519 scripting attacks from your users but 88 00:03:18,080 --> 00:03:21,440 when it comes to the issues thrown by 89 00:03:19,519 --> 00:03:23,200 calling javascript directly from some 90 00:03:21,440 --> 00:03:25,599 other domain entirely we don't pay 91 00:03:23,200 --> 00:03:26,640 nearly as much attention in my opinion 92 00:03:25,599 --> 00:03:28,080 and maybe 93 00:03:26,640 --> 00:03:29,920 you're all over this and you're thinking 94 00:03:28,080 --> 00:03:32,080 yeah lily i know it's just how the 95 00:03:29,920 --> 00:03:33,599 internet works but if that's the case 96 00:03:32,080 --> 00:03:35,519 and you think you don't need this talk 97 00:03:33,599 --> 00:03:37,120 um i don't know perhaps there's someone 98 00:03:35,519 --> 00:03:38,879 on your team or in your professional 99 00:03:37,120 --> 00:03:40,560 life who needs to hear this and who 100 00:03:38,879 --> 00:03:42,319 needs convincing 101 00:03:40,560 --> 00:03:43,840 please stick with me because i'm going 102 00:03:42,319 --> 00:03:45,280 to give you tools information and 103 00:03:43,840 --> 00:03:46,959 arguments that should help make these 104 00:03:45,280 --> 00:03:49,440 conversations with those people a little 105 00:03:46,959 --> 00:03:51,440 bit easier 106 00:03:49,440 --> 00:03:53,439 we see lots of attacks in the wild that 107 00:03:51,440 --> 00:03:55,680 happen as a result of sneaky third-party 108 00:03:53,439 --> 00:03:57,920 js the majority of the popular ones are 109 00:03:55,680 --> 00:04:00,159 done for one of two reasons 110 00:03:57,920 --> 00:04:02,799 mining cryptocurrencies and stealing 111 00:04:00,159 --> 00:04:05,120 credit card details because the bad guys 112 00:04:02,799 --> 00:04:07,120 really have no imaginations like 113 00:04:05,120 --> 00:04:09,280 seriously today's browsers can access 114 00:04:07,120 --> 00:04:11,280 your camera and your microphone and your 115 00:04:09,280 --> 00:04:12,560 screen i'm sharing my screen from my 116 00:04:11,280 --> 00:04:14,879 browser right now with you and this is 117 00:04:12,560 --> 00:04:17,600 how you can see and hear me far worse 118 00:04:14,879 --> 00:04:20,880 things are possible 119 00:04:17,600 --> 00:04:22,880 but no cryptocurrencies 120 00:04:20,880 --> 00:04:24,720 crypto jacking by which i mean using 121 00:04:22,880 --> 00:04:26,800 third-party js libraries to mine 122 00:04:24,720 --> 00:04:28,479 cryptocurrencies and users browsers was 123 00:04:26,800 --> 00:04:30,479 fairly popular up until relatively 124 00:04:28,479 --> 00:04:33,120 recently thanks to services like 125 00:04:30,479 --> 00:04:34,880 coinhive whose whose entire product was 126 00:04:33,120 --> 00:04:36,160 letting you use browser power to mine 127 00:04:34,880 --> 00:04:38,320 monero 128 00:04:36,160 --> 00:04:40,800 it's estimated that the actual amount of 129 00:04:38,320 --> 00:04:42,560 real world money mined by these scripts 130 00:04:40,800 --> 00:04:45,440 i don't know it's in a couple of tens of 131 00:04:42,560 --> 00:04:47,360 dollars i think and in several cases the 132 00:04:45,440 --> 00:04:48,720 attackers actually messed up the attack 133 00:04:47,360 --> 00:04:51,040 and have succeeded in printing the 134 00:04:48,720 --> 00:04:54,080 javascript javascript code directly onto 135 00:04:51,040 --> 00:04:55,600 the page instead of executing it so 136 00:04:54,080 --> 00:04:57,360 that's about the level of cunning we're 137 00:04:55,600 --> 00:04:58,720 dealing with here 138 00:04:57,360 --> 00:05:00,400 it's become less of a problem now 139 00:04:58,720 --> 00:05:02,240 because coinhive went offline a few 140 00:05:00,400 --> 00:05:04,320 months ago and while there are still a 141 00:05:02,240 --> 00:05:06,880 few competitors out there none of them 142 00:05:04,320 --> 00:05:08,639 have the popularity coinhive did 143 00:05:06,880 --> 00:05:10,400 still a bad experience for the users of 144 00:05:08,639 --> 00:05:13,039 those apps though and an overall bad 145 00:05:10,400 --> 00:05:14,800 experience for the planet 146 00:05:13,039 --> 00:05:17,039 mage cart is the attack i've seen the 147 00:05:14,800 --> 00:05:18,639 most often making headlines 148 00:05:17,039 --> 00:05:19,919 it was this attack that was responsible 149 00:05:18,639 --> 00:05:21,680 for the british airways and the 150 00:05:19,919 --> 00:05:23,440 ticketmaster data breaches of credit 151 00:05:21,680 --> 00:05:24,720 card numbers and login details for more 152 00:05:23,440 --> 00:05:28,080 than 153 00:05:24,720 --> 00:05:30,080 400 000 people in 2018 154 00:05:28,080 --> 00:05:32,560 and it cost british airways 20 million 155 00:05:30,080 --> 00:05:34,880 pounds in gdpr fines but it's still 156 00:05:32,560 --> 00:05:36,639 circulating in lots of places 157 00:05:34,880 --> 00:05:39,280 it's a credit card skimming attack in 158 00:05:36,639 --> 00:05:41,120 which attackers modify existing shopping 159 00:05:39,280 --> 00:05:43,600 cart checkout code to process the 160 00:05:41,120 --> 00:05:45,600 payment as usual while also sending off 161 00:05:43,600 --> 00:05:47,600 all the submitted details in a tidy post 162 00:05:45,600 --> 00:05:51,039 request to the attacker's server where 163 00:05:47,600 --> 00:05:52,800 they sell them on to whoever wants them 164 00:05:51,039 --> 00:05:55,919 the reason these attacks are possible is 165 00:05:52,800 --> 00:05:57,680 because of the way the modern web works 166 00:05:55,919 --> 00:05:59,440 now here's a statement calculated to 167 00:05:57,680 --> 00:06:00,720 make a third of you feel really old and 168 00:05:59,440 --> 00:06:02,240 to make another third of you think that 169 00:06:00,720 --> 00:06:03,840 i'm really old 170 00:06:02,240 --> 00:06:06,479 back when i was first messing around 171 00:06:03,840 --> 00:06:08,000 making websites in 2001 when i was about 172 00:06:06,479 --> 00:06:09,520 12 years old 173 00:06:08,000 --> 00:06:11,199 one of the first things i learned was 174 00:06:09,520 --> 00:06:14,080 that the primary sin a web developer 175 00:06:11,199 --> 00:06:16,080 could commit was to hotlink your assets 176 00:06:14,080 --> 00:06:17,759 that is to source a picture or another 177 00:06:16,080 --> 00:06:20,880 resource directly from someone else's 178 00:06:17,759 --> 00:06:22,720 website in your code firstly because it 179 00:06:20,880 --> 00:06:24,400 was like stealing from that other person 180 00:06:22,720 --> 00:06:26,080 and it would cost them a lot of money to 181 00:06:24,400 --> 00:06:28,319 have to keep serving their picture over 182 00:06:26,080 --> 00:06:30,080 and over to your users 183 00:06:28,319 --> 00:06:32,240 and secondly because if that person 184 00:06:30,080 --> 00:06:33,840 figured out what you were doing they had 185 00:06:32,240 --> 00:06:35,120 the power to change that picture to a 186 00:06:33,840 --> 00:06:37,840 different picture that said this 187 00:06:35,120 --> 00:06:40,400 webmaster is a stinky butt head and then 188 00:06:37,840 --> 00:06:44,080 that's what all your users would see 189 00:06:40,400 --> 00:06:45,680 so if you flash forward uh god 20 years 190 00:06:44,080 --> 00:06:48,080 we have evolved to the practice of 191 00:06:45,680 --> 00:06:50,800 extreme hotlinking otherwise known as 192 00:06:48,080 --> 00:06:53,440 content delivery networks or cdns 193 00:06:50,800 --> 00:06:55,199 a major point of cdns is to host stuff 194 00:06:53,440 --> 00:06:56,560 so that you don't have to and being 195 00:06:55,199 --> 00:06:57,840 really really good at serving things to 196 00:06:56,560 --> 00:06:59,759 you fast 197 00:06:57,840 --> 00:07:01,599 but it's still hot linking it's still 198 00:06:59,759 --> 00:07:03,360 asking your website to fetch things from 199 00:07:01,599 --> 00:07:05,280 someone else's and trust that they are 200 00:07:03,360 --> 00:07:07,280 what they say they're going to be 201 00:07:05,280 --> 00:07:09,280 most of the time this tends to work out 202 00:07:07,280 --> 00:07:10,560 unless the cdn service themselves 203 00:07:09,280 --> 00:07:12,479 decides that they don't like the thing 204 00:07:10,560 --> 00:07:14,160 you're doing or because they get 205 00:07:12,479 --> 00:07:17,280 compromised or because they were never 206 00:07:14,160 --> 00:07:19,280 trustworthy to start with 207 00:07:17,280 --> 00:07:23,360 scott helm puts it pretty well in my 208 00:07:19,280 --> 00:07:24,960 opinion using a cdn is consensual xss 209 00:07:23,360 --> 00:07:26,800 and we're trusting the cdn not to do 210 00:07:24,960 --> 00:07:29,840 anything untoward 211 00:07:26,800 --> 00:07:31,759 we put lots of trust into these things 212 00:07:29,840 --> 00:07:34,479 how thoroughly do most of us evaluate 213 00:07:31,759 --> 00:07:34,479 what we're using 214 00:07:34,560 --> 00:07:38,080 there are lots of cdns 215 00:07:36,560 --> 00:07:40,000 that will work directly with you to 216 00:07:38,080 --> 00:07:41,599 supply the assets you provide them to 217 00:07:40,000 --> 00:07:43,440 your users around the world but there 218 00:07:41,599 --> 00:07:45,120 are also lots of other third-party 219 00:07:43,440 --> 00:07:48,000 services often built on the backs of 220 00:07:45,120 --> 00:07:50,240 those cdns that act as public javascript 221 00:07:48,000 --> 00:07:52,319 repositories that will serve any version 222 00:07:50,240 --> 00:07:54,800 of any javascript library or anything 223 00:07:52,319 --> 00:07:57,199 else in anyone's github repo or npm 224 00:07:54,800 --> 00:07:58,479 package directly to your site as 225 00:07:57,199 --> 00:08:00,960 executable code 226 00:07:58,479 --> 00:08:02,720 all you have to do is source their url 227 00:08:00,960 --> 00:08:04,800 in your html 228 00:08:02,720 --> 00:08:07,280 i'm talking about services like js 229 00:08:04,800 --> 00:08:08,800 deliver and unpackage and raw git many 230 00:08:07,280 --> 00:08:10,400 of these sites are run by passionate 231 00:08:08,800 --> 00:08:11,919 members of the community who want to 232 00:08:10,400 --> 00:08:14,720 give other developers like them the 233 00:08:11,919 --> 00:08:16,479 tools they need to make great stuff 234 00:08:14,720 --> 00:08:19,280 but a lot of these services are run by 235 00:08:16,479 --> 00:08:21,599 like one person or very small teams who 236 00:08:19,280 --> 00:08:23,520 cannot possibly keep up with every 237 00:08:21,599 --> 00:08:25,120 single script that people use their 238 00:08:23,520 --> 00:08:27,280 service to share 239 00:08:25,120 --> 00:08:29,120 this presents security issues not just 240 00:08:27,280 --> 00:08:32,000 in terms of file integrity which we'll 241 00:08:29,120 --> 00:08:33,760 get to in a second but with availability 242 00:08:32,000 --> 00:08:35,680 if you're relying on one person to keep 243 00:08:33,760 --> 00:08:37,919 the site up and renew the domain your 244 00:08:35,680 --> 00:08:41,279 website trusts to serve it with code 245 00:08:37,919 --> 00:08:42,959 that's a hell of a buzz factor 246 00:08:41,279 --> 00:08:45,760 let's look at githack one of these 247 00:08:42,959 --> 00:08:47,600 third-party cdn services the site's aim 248 00:08:45,760 --> 00:08:49,519 is stated right at the top 249 00:08:47,600 --> 00:08:52,160 raw.githat.com 250 00:08:49,519 --> 00:08:54,000 serves raw files directly from various 251 00:08:52,160 --> 00:08:55,920 source code hosting services with proper 252 00:08:54,000 --> 00:08:58,000 content type headers 253 00:08:55,920 --> 00:09:00,000 it's true that sites like github will 254 00:08:58,000 --> 00:09:02,480 serve javascript files with content type 255 00:09:00,000 --> 00:09:04,320 headers that are of type text plain 256 00:09:02,480 --> 00:09:06,480 so that you can't directly reference 257 00:09:04,320 --> 00:09:08,000 someone's raw file in your own site 258 00:09:06,480 --> 00:09:10,000 because the browser won't treat that 259 00:09:08,000 --> 00:09:12,560 file as executable 260 00:09:10,000 --> 00:09:14,800 github does this for a couple of reasons 261 00:09:12,560 --> 00:09:16,320 one of which is because they themselves 262 00:09:14,800 --> 00:09:17,760 aren't a cdn 263 00:09:16,320 --> 00:09:20,160 but i'd also guess it's because they 264 00:09:17,760 --> 00:09:21,920 cannot be liable for actually running 265 00:09:20,160 --> 00:09:23,920 whatever random code any one of their 266 00:09:21,920 --> 00:09:25,279 millions of users decides to push at any 267 00:09:23,920 --> 00:09:26,800 one moment 268 00:09:25,279 --> 00:09:28,560 so if you go and reference this file 269 00:09:26,800 --> 00:09:30,160 straight from someone's repo 270 00:09:28,560 --> 00:09:31,680 you're saving a bit of time in uploading 271 00:09:30,160 --> 00:09:33,440 and serving that file yourself but 272 00:09:31,680 --> 00:09:34,720 you're also trusting that the 273 00:09:33,440 --> 00:09:36,880 functionality of the code won't 274 00:09:34,720 --> 00:09:38,000 substantially change and also that that 275 00:09:36,880 --> 00:09:39,519 developer 276 00:09:38,000 --> 00:09:41,360 or the group of developers with commit 277 00:09:39,519 --> 00:09:43,519 access to that repo have all turned on 278 00:09:41,360 --> 00:09:45,519 mfa and don't reuse the same password 279 00:09:43,519 --> 00:09:47,360 across all their accounts and that they 280 00:09:45,519 --> 00:09:49,440 themselves aren't intending to do 281 00:09:47,360 --> 00:09:52,080 anything malicious 282 00:09:49,440 --> 00:09:53,839 that is a lot of trust to defer 283 00:09:52,080 --> 00:09:55,680 then you're also deferring trust to the 284 00:09:53,839 --> 00:09:58,240 person who cased that version of the 285 00:09:55,680 --> 00:10:00,480 file to the cdn in the first place 286 00:09:58,240 --> 00:10:02,800 git hack has a bit of feature that lets 287 00:10:00,480 --> 00:10:05,040 anyone purge at purge 288 00:10:02,800 --> 00:10:06,640 cased versions whenever they want so an 289 00:10:05,040 --> 00:10:08,480 attacker could come along and make sure 290 00:10:06,640 --> 00:10:12,079 that their malicious edit to the code 291 00:10:08,480 --> 00:10:14,560 ended up being the one that was cashed 292 00:10:12,079 --> 00:10:16,480 rawgit a third-party cdn service that 293 00:10:14,560 --> 00:10:19,040 githack seems to have been based on was 294 00:10:16,480 --> 00:10:21,279 actually officially sunset in 2018 295 00:10:19,040 --> 00:10:22,880 precisely because people were using the 296 00:10:21,279 --> 00:10:24,800 service to poison the cache with 297 00:10:22,880 --> 00:10:26,640 cryptojacking scripts and the single 298 00:10:24,800 --> 00:10:29,360 person who was running the service 299 00:10:26,640 --> 00:10:30,880 couldn't keep up with it anymore 300 00:10:29,360 --> 00:10:32,880 despite it having been in the state for 301 00:10:30,880 --> 00:10:35,040 about three years now i have still seen 302 00:10:32,880 --> 00:10:37,279 raw get used by sites as recently as 303 00:10:35,040 --> 00:10:40,560 several months ago which is a sort of 304 00:10:37,279 --> 00:10:40,560 damocles if i ever saw one 305 00:10:40,720 --> 00:10:45,680 apart from developer libraries and cdns 306 00:10:44,000 --> 00:10:48,240 the other reason that third-party 307 00:10:45,680 --> 00:10:49,839 javascript ends up in apps is most often 308 00:10:48,240 --> 00:10:50,880 because of advertising and marketing 309 00:10:49,839 --> 00:10:52,880 tooling 310 00:10:50,880 --> 00:10:55,040 i'm talking about google tag manager 311 00:10:52,880 --> 00:10:57,519 analytics tools advertising network 312 00:10:55,040 --> 00:10:59,040 panels to make back a bit of money 313 00:10:57,519 --> 00:11:00,800 and while i'm the first to admit that i 314 00:10:59,040 --> 00:11:02,720 know nothing about marketing there are 315 00:11:00,800 --> 00:11:04,560 plenty of reasons why people use these 316 00:11:02,720 --> 00:11:05,839 tools that aren't just about vanity 317 00:11:04,560 --> 00:11:07,360 graphs 318 00:11:05,839 --> 00:11:09,200 the main reason with this type of tool 319 00:11:07,360 --> 00:11:11,360 and why i'm calling it out specifically 320 00:11:09,200 --> 00:11:13,600 is because these kinds of things often 321 00:11:11,360 --> 00:11:14,720 get added outside of the usual developer 322 00:11:13,600 --> 00:11:16,560 pipeline 323 00:11:14,720 --> 00:11:18,160 google tag manager is literally code 324 00:11:16,560 --> 00:11:19,760 injection as a service and it can mean 325 00:11:18,160 --> 00:11:22,320 that marketers are able to update those 326 00:11:19,760 --> 00:11:24,560 code snippets directly onto the site 327 00:11:22,320 --> 00:11:26,560 and those snippets often then call on 328 00:11:24,560 --> 00:11:27,760 fourth party js and then it's kind of a 329 00:11:26,560 --> 00:11:29,040 free-for-all 330 00:11:27,760 --> 00:11:30,800 this is also the kind of place where 331 00:11:29,040 --> 00:11:33,279 mage card attacks are especially 332 00:11:30,800 --> 00:11:33,279 effective 333 00:11:33,680 --> 00:11:38,160 this is why it's really important that 334 00:11:35,600 --> 00:11:39,920 you know how to spot your vampires 335 00:11:38,160 --> 00:11:42,000 as a developer you might think you know 336 00:11:39,920 --> 00:11:44,079 what code is ending up in the html that 337 00:11:42,000 --> 00:11:46,959 ends up getting served to your users 338 00:11:44,079 --> 00:11:48,800 but you may end up being surprised 339 00:11:46,959 --> 00:11:50,480 i know that supply chain problems are 340 00:11:48,800 --> 00:11:51,920 really hard to fix and at some point we 341 00:11:50,480 --> 00:11:54,560 really do have to make decisions about 342 00:11:51,920 --> 00:11:56,720 who to trust or nobody would ever build 343 00:11:54,560 --> 00:11:59,360 anything ever because the overhead would 344 00:11:56,720 --> 00:12:01,360 just be way too difficult to manage 345 00:11:59,360 --> 00:12:03,040 but in most cases we can control the 346 00:12:01,360 --> 00:12:04,560 sources of the code that will end up in 347 00:12:03,040 --> 00:12:06,480 front of our users 348 00:12:04,560 --> 00:12:07,760 this is low hanging fruit and we should 349 00:12:06,480 --> 00:12:09,200 pick it 350 00:12:07,760 --> 00:12:11,839 so in brief 351 00:12:09,200 --> 00:12:14,240 here is how you spot a vampire 352 00:12:11,839 --> 00:12:16,000 look from the outside in 353 00:12:14,240 --> 00:12:17,279 as a pen tester this is what i do all 354 00:12:16,000 --> 00:12:19,120 the time 355 00:12:17,279 --> 00:12:21,040 we often don't have access to the source 356 00:12:19,120 --> 00:12:22,720 code we see the app the way that a user 357 00:12:21,040 --> 00:12:24,639 will see it and work backwards from 358 00:12:22,720 --> 00:12:27,040 there whereas most developers will see 359 00:12:24,639 --> 00:12:28,639 their site from the inside out knowing 360 00:12:27,040 --> 00:12:31,279 how they've built it up and what checks 361 00:12:28,639 --> 00:12:33,200 exist along the way 362 00:12:31,279 --> 00:12:35,040 i suggest it might be educational to 363 00:12:33,200 --> 00:12:37,600 take a closer look at your app and the 364 00:12:35,040 --> 00:12:39,600 way it's presented to your users 365 00:12:37,600 --> 00:12:41,440 use a proxy capture the outgoing 366 00:12:39,600 --> 00:12:43,360 requests when the page loads and see 367 00:12:41,440 --> 00:12:46,560 exactly where you're asking your users 368 00:12:43,360 --> 00:12:48,160 browsers to go when they visit you 369 00:12:46,560 --> 00:12:49,920 is everything you're seeing there 370 00:12:48,160 --> 00:12:51,279 subject to the dependency checkers and 371 00:12:49,920 --> 00:12:53,360 volume scanners that i know you've got 372 00:12:51,279 --> 00:12:55,920 built into your pipelines or is there 373 00:12:53,360 --> 00:12:57,519 stuff there that surprises you 374 00:12:55,920 --> 00:12:59,040 i know that i only really became aware 375 00:12:57,519 --> 00:13:01,760 of this problem when i stopped being a 376 00:12:59,040 --> 00:13:03,600 developer and started being a pen tester 377 00:13:01,760 --> 00:13:05,680 and you might have laughed before about 378 00:13:03,600 --> 00:13:07,440 things like git hack and raw git but i'm 379 00:13:05,680 --> 00:13:09,120 talking about them today because i still 380 00:13:07,440 --> 00:13:11,920 see them get used in live production 381 00:13:09,120 --> 00:13:13,440 websites even now all the time mixed in 382 00:13:11,920 --> 00:13:16,320 with other libraries that people are 383 00:13:13,440 --> 00:13:18,880 serving themselves 384 00:13:16,320 --> 00:13:20,959 so when you've seen what you're serving 385 00:13:18,880 --> 00:13:23,200 you face the unenviable task of working 386 00:13:20,959 --> 00:13:24,480 out what to do about it next 387 00:13:23,200 --> 00:13:25,360 don't worry i'm here to help you with 388 00:13:24,480 --> 00:13:26,720 that 389 00:13:25,360 --> 00:13:29,120 the first part is the technical 390 00:13:26,720 --> 00:13:31,920 solutions of which i'm pleased to inform 391 00:13:29,120 --> 00:13:33,440 you that there are plenty 392 00:13:31,920 --> 00:13:34,959 i only have like 393 00:13:33,440 --> 00:13:36,800 what 30 minutes 394 00:13:34,959 --> 00:13:39,040 which is not enough time to explain any 395 00:13:36,800 --> 00:13:40,560 one of these things in great depth but i 396 00:13:39,040 --> 00:13:42,720 want to touch on them so that you can 397 00:13:40,560 --> 00:13:45,279 refer back to this later and dig into 398 00:13:42,720 --> 00:13:46,720 these if you need any of them this is 399 00:13:45,279 --> 00:13:47,680 the slide 400 00:13:46,720 --> 00:13:49,440 probably the one you'll want to 401 00:13:47,680 --> 00:13:51,360 screenshot and go research later if you 402 00:13:49,440 --> 00:13:52,639 need to dig into any of these terms in 403 00:13:51,360 --> 00:13:54,399 more depth 404 00:13:52,639 --> 00:13:56,079 there are plenty of mechanisms to put in 405 00:13:54,399 --> 00:13:57,360 place at the web app and browser level 406 00:13:56,079 --> 00:13:58,959 that will help ensure that you're only 407 00:13:57,360 --> 00:14:00,639 loading the javascript that you intend 408 00:13:58,959 --> 00:14:02,079 to load 409 00:14:00,639 --> 00:14:03,199 i'd recommend going through and reading 410 00:14:02,079 --> 00:14:05,600 about all of these if you don't 411 00:14:03,199 --> 00:14:07,199 recognize any of them but prioritize 412 00:14:05,600 --> 00:14:09,199 learning about sub-resource integrity 413 00:14:07,199 --> 00:14:10,639 and the content security policy most of 414 00:14:09,199 --> 00:14:12,800 all because they're the ones that are 415 00:14:10,639 --> 00:14:15,360 most adept at saving you 416 00:14:12,800 --> 00:14:17,040 in brief sub-resource integrity is a 417 00:14:15,360 --> 00:14:18,800 mechanism for checking hashes of the 418 00:14:17,040 --> 00:14:21,120 files you're loading to ensure that they 419 00:14:18,800 --> 00:14:22,959 are precisely the things you intend to 420 00:14:21,120 --> 00:14:24,240 load and then blocking them if they're 421 00:14:22,959 --> 00:14:26,000 not 422 00:14:24,240 --> 00:14:27,680 the content security policy does a lot 423 00:14:26,000 --> 00:14:30,240 of other stuff that isn't just about 424 00:14:27,680 --> 00:14:32,560 third party js but it lets you define a 425 00:14:30,240 --> 00:14:34,240 list of domains and subdomains from 426 00:14:32,560 --> 00:14:35,440 which your site will accept assets 427 00:14:34,240 --> 00:14:37,120 loading 428 00:14:35,440 --> 00:14:38,959 it can be handy if you've already pruned 429 00:14:37,120 --> 00:14:41,600 out sources that you don't trust or you 430 00:14:38,959 --> 00:14:43,600 can't trust and i would recommend also 431 00:14:41,600 --> 00:14:46,720 not allowing things to load from stuff 432 00:14:43,600 --> 00:14:48,480 like wildcard aws s3 because 433 00:14:46,720 --> 00:14:49,519 literally anyone can host things in that 434 00:14:48,480 --> 00:14:53,040 domain 435 00:14:49,519 --> 00:14:53,040 be as specific as you can 436 00:14:53,680 --> 00:14:58,399 the real solution here like so many 437 00:14:55,680 --> 00:15:00,880 things with tech is people based 438 00:14:58,399 --> 00:15:03,120 to stop the vampires from getting in 439 00:15:00,880 --> 00:15:05,360 you are going to have to talk to people 440 00:15:03,120 --> 00:15:07,760 and come up with a systemic vampire 441 00:15:05,360 --> 00:15:09,519 management plan 442 00:15:07,760 --> 00:15:11,839 this is the place to make your case for 443 00:15:09,519 --> 00:15:14,079 doing js right 444 00:15:11,839 --> 00:15:15,680 talk about the worst case you can use 445 00:15:14,079 --> 00:15:18,160 the notable attacks that i highlighted 446 00:15:15,680 --> 00:15:19,839 earlier if you like or just google mage 447 00:15:18,160 --> 00:15:21,279 cart because there's stuff happening all 448 00:15:19,839 --> 00:15:22,959 the time 449 00:15:21,279 --> 00:15:24,800 talk about the user experience you're 450 00:15:22,959 --> 00:15:26,160 presenting to your customers 451 00:15:24,800 --> 00:15:28,079 if you can't guarantee that the 452 00:15:26,160 --> 00:15:30,800 javascript that you're calling on 453 00:15:28,079 --> 00:15:33,040 is the thing that you intend it to be 454 00:15:30,800 --> 00:15:34,800 and most importantly 455 00:15:33,040 --> 00:15:36,560 work with your like-minded colleagues to 456 00:15:34,800 --> 00:15:38,079 come up with a strategic approach for 457 00:15:36,560 --> 00:15:40,240 tackling this because in lots of 458 00:15:38,079 --> 00:15:41,360 established businesses it can be a 459 00:15:40,240 --> 00:15:42,639 really 460 00:15:41,360 --> 00:15:45,040 really 461 00:15:42,639 --> 00:15:47,680 really hard case to make to anyone whose 462 00:15:45,040 --> 00:15:50,720 sole concern is not security 463 00:15:47,680 --> 00:15:50,720 which is most people 464 00:15:51,440 --> 00:15:56,639 in our ideal amazing golden utopia state 465 00:15:54,800 --> 00:15:58,800 we'd select each one of our vampire 466 00:15:56,639 --> 00:16:01,279 guests with incredible care 467 00:15:58,800 --> 00:16:03,519 that is to say we would use only the 468 00:16:01,279 --> 00:16:05,440 specific javascript that we needed we'd 469 00:16:03,519 --> 00:16:07,360 host it ourselves we'd have a lovely 470 00:16:05,440 --> 00:16:09,920 maintained register of all the stuff we 471 00:16:07,360 --> 00:16:11,839 were using and all the dependencies we'd 472 00:16:09,920 --> 00:16:13,279 automate our updates and our patches 473 00:16:11,839 --> 00:16:15,360 nothing at all would happen outside of 474 00:16:13,279 --> 00:16:17,360 the normal developer flow and we'd all 475 00:16:15,360 --> 00:16:19,199 live happily ever after 476 00:16:17,360 --> 00:16:20,800 but we know that real life isn't like 477 00:16:19,199 --> 00:16:23,519 that and it's not always going to happen 478 00:16:20,800 --> 00:16:25,120 that easily so once you've done you're 479 00:16:23,519 --> 00:16:26,800 looking from the outside in that we were 480 00:16:25,120 --> 00:16:29,040 talking about earlier and track down 481 00:16:26,800 --> 00:16:31,440 what kinds of javascript your web app is 482 00:16:29,040 --> 00:16:34,240 actually serving to people start looking 483 00:16:31,440 --> 00:16:37,199 for your short medium and long term 484 00:16:34,240 --> 00:16:38,800 plans for getting to that ideal state 485 00:16:37,199 --> 00:16:40,240 this is going to vary depending on the 486 00:16:38,800 --> 00:16:42,800 challenges that you face at your 487 00:16:40,240 --> 00:16:44,240 specific workplace so please adjust 488 00:16:42,800 --> 00:16:46,160 these to suit you 489 00:16:44,240 --> 00:16:48,720 you might never get to that ideal state 490 00:16:46,160 --> 00:16:51,040 and that's okay you're just one person 491 00:16:48,720 --> 00:16:54,560 we can't win all the fights but see 492 00:16:51,040 --> 00:16:54,560 what's within your ability to control 493 00:16:54,639 --> 00:16:58,320 so without caveat here are my 494 00:16:56,160 --> 00:17:00,880 suggestions 495 00:16:58,320 --> 00:17:02,800 in the short term find out exactly where 496 00:17:00,880 --> 00:17:05,600 all of that outside in javascript is 497 00:17:02,800 --> 00:17:07,520 coming from do you recognize it all is 498 00:17:05,600 --> 00:17:09,919 it all covered off in your usual 499 00:17:07,520 --> 00:17:12,640 deployment process or is there stuff 500 00:17:09,919 --> 00:17:15,439 being added in that you weren't aware of 501 00:17:12,640 --> 00:17:17,199 if so go and find out who added it where 502 00:17:15,439 --> 00:17:19,919 they fit into the thing and what their 503 00:17:17,199 --> 00:17:21,600 actual use cases are 504 00:17:19,919 --> 00:17:24,160 empathizing with these folks is going to 505 00:17:21,600 --> 00:17:25,919 be really important too they are just 506 00:17:24,160 --> 00:17:27,520 doing their best at their jobs and they 507 00:17:25,919 --> 00:17:29,039 may not have realized what risks they're 508 00:17:27,520 --> 00:17:31,120 really introducing 509 00:17:29,039 --> 00:17:32,480 do your best to understand what they're 510 00:17:31,120 --> 00:17:34,000 trying to achieve 511 00:17:32,480 --> 00:17:36,799 and if there's a more secure way you can 512 00:17:34,000 --> 00:17:36,799 help them achieve it 513 00:17:36,880 --> 00:17:41,520 does this mean for example that uh 514 00:17:39,520 --> 00:17:43,360 developers and marketers should pair on 515 00:17:41,520 --> 00:17:44,720 google tag manager work 516 00:17:43,360 --> 00:17:46,960 does this mean that we need to start 517 00:17:44,720 --> 00:17:48,799 looking at whether we can host more of 518 00:17:46,960 --> 00:17:50,320 our own stuff 519 00:17:48,799 --> 00:17:53,200 this is the period of time where you 520 00:17:50,320 --> 00:17:54,640 should start trying to get folks on side 521 00:17:53,200 --> 00:17:57,600 tldr 522 00:17:54,640 --> 00:17:57,600 don't be a jerk 523 00:17:58,400 --> 00:18:01,840 medium term 524 00:17:59,760 --> 00:18:03,919 trial some of these process changes and 525 00:18:01,840 --> 00:18:05,520 adjust them where needed 526 00:18:03,919 --> 00:18:07,600 this is also a good time to start 527 00:18:05,520 --> 00:18:09,600 working on how to roll out some of these 528 00:18:07,600 --> 00:18:11,760 basic technical controls i mentioned 529 00:18:09,600 --> 00:18:13,520 earlier although i know that content 530 00:18:11,760 --> 00:18:15,600 security policy implementations in 531 00:18:13,520 --> 00:18:18,320 particular can be a real pain in the 532 00:18:15,600 --> 00:18:20,640 butt which is why i say start working on 533 00:18:18,320 --> 00:18:22,400 and not roll it out 534 00:18:20,640 --> 00:18:24,640 by now you should also have a clear list 535 00:18:22,400 --> 00:18:26,720 of what you're serving to people and at 536 00:18:24,640 --> 00:18:28,559 least be monitoring that for any changes 537 00:18:26,720 --> 00:18:31,039 and incorporating as much of it as you 538 00:18:28,559 --> 00:18:32,559 can into your usual pipeline 539 00:18:31,039 --> 00:18:34,480 this is also the point to start 540 00:18:32,559 --> 00:18:36,080 assessing the cdns that you're using and 541 00:18:34,480 --> 00:18:39,200 asking yourself questions about their 542 00:18:36,080 --> 00:18:41,120 security practices their reliability and 543 00:18:39,200 --> 00:18:42,559 all of that kind of stuff 544 00:18:41,120 --> 00:18:44,559 are there any that you see that you're 545 00:18:42,559 --> 00:18:47,120 serving that you could pair back 546 00:18:44,559 --> 00:18:48,960 or can you at least use one source if 547 00:18:47,120 --> 00:18:50,400 you're using multiple ones 548 00:18:48,960 --> 00:18:52,960 see what works for you see what's 549 00:18:50,400 --> 00:18:52,960 practical 550 00:18:53,600 --> 00:18:57,360 in the long term you want to work 551 00:18:55,600 --> 00:18:59,440 towards getting everything using sub 552 00:18:57,360 --> 00:19:01,520 resource integrity at a minimum and 553 00:18:59,440 --> 00:19:03,200 content security policies if you can 554 00:19:01,520 --> 00:19:05,120 manage that 555 00:19:03,200 --> 00:19:06,480 hosting this stuff yourself is ideal 556 00:19:05,120 --> 00:19:08,400 from the perspective of being able to 557 00:19:06,480 --> 00:19:10,640 strictly control the domains from which 558 00:19:08,400 --> 00:19:12,160 you will accept javascript tightly 559 00:19:10,640 --> 00:19:14,320 maintaining a list of third-party 560 00:19:12,160 --> 00:19:16,080 sources and evaluating new ones as you 561 00:19:14,320 --> 00:19:18,160 go will also help to ensure that things 562 00:19:16,080 --> 00:19:19,919 just can't get pushed out to the site 563 00:19:18,160 --> 00:19:22,400 willy-nilly 564 00:19:19,919 --> 00:19:24,559 by this stage you should hopefully have 565 00:19:22,400 --> 00:19:26,640 as much as possible under the one 566 00:19:24,559 --> 00:19:28,320 umbrella developers and marketers 567 00:19:26,640 --> 00:19:30,640 working together to ensure that the 568 00:19:28,320 --> 00:19:33,120 scripts that are being deployed are all 569 00:19:30,640 --> 00:19:34,480 serving useful purposes and coming from 570 00:19:33,120 --> 00:19:36,400 suppliers that can make reputable 571 00:19:34,480 --> 00:19:38,799 guarantees about their own security and 572 00:19:36,400 --> 00:19:40,320 you will ride off into the sunset and be 573 00:19:38,799 --> 00:19:41,679 very happy 574 00:19:40,320 --> 00:19:44,160 and once you've done all this you will 575 00:19:41,679 --> 00:19:47,120 be totally one thousand percent 576 00:19:44,160 --> 00:19:48,320 unhackable and safe from all vampires 577 00:19:47,120 --> 00:19:50,160 forever 578 00:19:48,320 --> 00:19:51,600 the end 579 00:19:50,160 --> 00:19:52,880 okay no you won't 580 00:19:51,600 --> 00:19:55,520 there are still lots of other things you 581 00:19:52,880 --> 00:19:57,840 need to keep an eye out for and security 582 00:19:55,520 --> 00:19:59,760 issues never end 583 00:19:57,840 --> 00:20:01,679 the security issues involved with using 584 00:19:59,760 --> 00:20:04,159 third-party javascript 585 00:20:01,679 --> 00:20:06,240 are one of a really small facet of the 586 00:20:04,159 --> 00:20:09,039 larger issues that can occur with making 587 00:20:06,240 --> 00:20:11,360 companies talk or making computers sorry 588 00:20:09,039 --> 00:20:13,039 talk to other computers and for better 589 00:20:11,360 --> 00:20:16,000 or worse we're all in this never-ending 590 00:20:13,039 --> 00:20:18,880 game of cat and mouse forever 591 00:20:16,000 --> 00:20:20,640 all we can do is our best and keep on 592 00:20:18,880 --> 00:20:23,360 top of the risks that we're exposing to 593 00:20:20,640 --> 00:20:25,840 ourselves and to our users in the course 594 00:20:23,360 --> 00:20:25,840 of our work 595 00:20:26,320 --> 00:20:29,840 i will be putting up a list of resources 596 00:20:28,000 --> 00:20:31,600 on my website if you want to refer to 597 00:20:29,840 --> 00:20:32,880 any of this or dig into a lot of the 598 00:20:31,600 --> 00:20:35,280 sources that i looked at while 599 00:20:32,880 --> 00:20:37,120 researching this talk later on um i 600 00:20:35,280 --> 00:20:39,440 haven't put it up yet as of the time of 601 00:20:37,120 --> 00:20:41,919 me speaking but that will be happening 602 00:20:39,440 --> 00:20:43,840 very soon 603 00:20:41,919 --> 00:20:46,240 and that's it i wanted to leave you with 604 00:20:43,840 --> 00:20:47,919 one of my favorite vampire tweets um 605 00:20:46,240 --> 00:20:51,440 thank you for listening and i'm happy to 606 00:20:47,919 --> 00:20:51,440 take questions if there are any 607 00:20:56,480 --> 00:20:59,760 thank you 608 00:20:57,679 --> 00:21:01,600 that was really excellent and chat's 609 00:20:59,760 --> 00:21:03,360 been going wild and you're probably 610 00:21:01,600 --> 00:21:05,280 lucky we're not an in-person conference 611 00:21:03,360 --> 00:21:06,640 because you may get your glasses stolen 612 00:21:05,280 --> 00:21:09,200 if we were 613 00:21:06,640 --> 00:21:09,200 oh dear 614 00:21:09,679 --> 00:21:13,440 no problem are there any questions in 615 00:21:11,760 --> 00:21:14,640 the chats i have 616 00:21:13,440 --> 00:21:18,000 not been looking 617 00:21:14,640 --> 00:21:20,559 yeah i'm trying to quickly scan through 618 00:21:18,000 --> 00:21:20,559 no problem 619 00:21:20,580 --> 00:21:24,000 [Music] 620 00:21:21,220 --> 00:21:27,120 [Laughter] 621 00:21:24,000 --> 00:21:29,200 i suspect many will appear uh probably 622 00:21:27,120 --> 00:21:30,880 just as we finish being live because 623 00:21:29,200 --> 00:21:32,080 that's how the rules of these things 624 00:21:30,880 --> 00:21:33,919 work 625 00:21:32,080 --> 00:21:35,679 well uh which is probably going to be 626 00:21:33,919 --> 00:21:38,880 the easiest way 627 00:21:35,679 --> 00:21:40,159 i got my glasses in tokyo 628 00:21:38,880 --> 00:21:42,799 so 629 00:21:40,159 --> 00:21:45,200 i hope that helps 630 00:21:42,799 --> 00:21:46,559 it probably doesn't at all 631 00:21:45,200 --> 00:21:48,400 well soon 632 00:21:46,559 --> 00:21:50,080 one day 633 00:21:48,400 --> 00:21:52,400 flights will be a thing people can take 634 00:21:50,080 --> 00:21:52,400 again 635 00:21:55,760 --> 00:21:59,840 well thank you very much we will be back 636 00:21:58,720 --> 00:22:03,360 in 637 00:21:59,840 --> 00:22:05,440 uh about 15 minutes at quarter past two 638 00:22:03,360 --> 00:22:08,480 australian eastern time 639 00:22:05,440 --> 00:22:11,480 uh so we'll see you all shortly 640 00:22:08,480 --> 00:22:11,480 great 641 00:22:20,640 --> 00:22:22,720 you