Protect your site from Cryptojacking with CSP + SRI


8 bookmarks. First posted by vielmetti february 2018.


If you want to load a crypto miner on 1,000+ websites you don't attack 1,000+ websites, you attack the 1 website that they all load content from. In this case it turned out that Text Help, an assistive technology provider, had been compromised and one of their hosted script files changed. The offending asset can be found here (https://www.browsealoud.com/plus/scripts/ba.js) for the duration it remains but here is the snippet that matters.
february 2018 by probablytom
With that tiny change to how the script is loaded, this attack would have been completely neutralised. What I've done here is add the SRI Integrity Attribute and that allows the browser to determine if the file has been modified, which allows it to reject the file. You can easily generate the appropriate script tags using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page. To take this one step further and ensure absolute protection, you can use Content Security Policy and the require-sri-for directive to make sure that no script is allowed to load on the page without an SRI integrity attribute. In short, this could have been totally avoided by all of those involved even though the file was modified by hackers. On top of all of that, you could be alerted to events like this happening on your site via CSP Reporting which is literally the reason I founded Report URI.
javascript  security  webdev  bitcoin  monero 
february 2018 by Chirael
Protect your site from Cryptojacking with CSP + SRI https://t.co/Wlj4yeR5rT

— Abraham Williams (@abraham) February 11, 2018
IFTTT  Twitter 
february 2018 by abraham
Helme noticed that thousands of sites, including government sites, were running a cryptominer via a hacked Javascript file. As he points out, to hack 2,000 sites you don’t hack 2,000, you hack one:
<p>
This is not a particularly new attack and we've known for a long time that CDNs [content delivery networks] or other hosted assets are a prime target to compromise a single target and then infect potentially many thousands of websites. The thing is though, there's a pretty easy way to defend yourself against this attack. Let's take the ICO as an example, they load the affected file like this:

[script src="//www.browsealoud.com/plus/scripts/ba.js" type="text/javascript"][/script]

That's a pretty standard way to load a JS file and the browser will go and fetch that file and include it in the page, along with the crypto miner... Want to know how you can easily stop this attack?

[script src="//www.browsealoud.com/plus/scripts/ba.js" integrity="sha256-Abhisa/nS9WMne/YX dqiFINl JiE15MCWvASJvVtIk=" crossorigin="anonymous"][/script]

That's it. With that tiny change to how the script is loaded, this attack would have been completely neutralised. What I've done here is add the SRI Integrity Attribute and that allows the browser to determine if the file has been modified, which allows it to reject the file. You can easily generate the appropriate script tags using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page. To take this one step further and ensure absolute protection, you can use Content Security Policy and the require-sri-for directive to make sure that no script is allowed to load on the page without an SRI integrity attribute. In short, this could have been totally avoided by all of those involved even though the file was modified by hackers.</p>

Sure, he’s selling a service. But it’s a useful service.
Cryptominer  hacking 
february 2018 by charlesarthur
If you want to load a crypto miner on 1,000+ websites you don't attack 1,000+ websites, you attack the 1 website that they all load content from. In this case it turned out that Text Help, an assistive technology provider, had been compromised and one of their hosted script files changed. The offending asset can be found here (https://www.browsealoud.com/plus/scripts/ba.js) for the duration it remains but here is the snippet that matters.
cryptojacking  browsealoud  ba.js 
february 2018 by vielmetti