Battling MageCart: The Risks of Third-Party Scripts - Kevin Gennuso

hey everybody thanks for coming out this afternoon I am the last thing standing between you and the after party so I will make it really quick we're going to talk about mage cart and the risk of third party JavaScript in web applications so this is kind of the breakdown I'll tell you a little bit about myself talk about what third party JavaScript really means we'll talk about mage cart what that group of threat actors is all about what a content security policy is some challenges in implementing one and then we'll do a little bit of Q&A at the end assuming there's some time so I am a Pittsburgh native Columbus transplant that is very much what it felt like to

move to Columbus I had to get a whole new set of eyeballs to look around things are a little different there and it's my one-year anniversary I actually moved there the day after b-sides last year so I'm I'm glad to be here again for sure and thanks to everyone from besides all the organizers and everything for putting on a great conference again this year so I'm a senior InfoSec architect at Dick's Sporting Goods I love mango packets sequel injection long walks on the stack I know 50 shades of InfoSec red blue purple orange I've seen them all in my career and I'm a little bit noisy I've done some speaking for sans besides Derby is e-squared some other places

I'm a besides Pittsburgh to SOT 2017 black and gold badge holder which is probably the greatest honor I've ever received in my life and none of this is horn Tooting or bragging time I'm just telling you all this because I've seen some things okay I've seen a lot of things some of those things cannot be unseen this is what it looks like to be an information security at Dick's Sporting Goods you know you're fighting invisible bad guys at the same time you're trying to live the brand be healthy and you know you're just trying to do your best and you just really don't know where these guys our but that's that's that's my life most days so let's talk about

third-party JavaScript integrations what they are who uses them and why they're used so JavaScript third-party JavaScript is essentially JavaScript that's instructed to load into the users browser from a domain other than the source other than the origin so you know you can the your web page may say ok call out to this third party to load up some JavaScript and that might you know be something that you do for a number of reasons we'll get into that the trusted code and I put the question mark there's because that you know you don't really know it's trusted it's coming from a third party and and you don't really have any control over it because it's coming from a domain that you don't own

and this is often referred to as tagging or tags by the industry or by the business so if you hear them talking about hey I want to put a new tag on the website this is what they're talking about so who wants to do this retail right here hospitality industry also uses a lot of JavaScript tagging you know so I'm talking about like hotels airlines those kind of folks entertainment industry Ticketmaster what is a big user of this and they actually got breached because of this and we'll talk about that a little bit more I mentioned Airlines and it's really any site that has an e comp residence or you know social media anybody can use

third-party JavaScript and and you'd be surprised if you pulled up some of your favorite websites did a view source and looked at all the different domains that your browser is talking to so why why would we do this well marketing purpose is so you know I go to Amazon and I look at a product and you know suddenly that same product follows you around on every other website you visit so that's that's third-party JavaScript customer service is our customer experience a lot of times you know your your internal team might want to keep track of you know what your users are experiencing if it's a good experience bad experience there's actually a thing out there

called session cam that watches every single click every single motion of the mouse to watch where your mouse hovers how long you spend hovering how long you spend typing into fields that sort of thing and that's all done with the third-party JavaScript integration social media you know you might want to have a like on Facebook thing on your web page or on your e-commerce site or something like that that's a third party JavaScript integration and tracking everybody loves to be tracked around the internet right so that's some of it and then sometimes it's just lazy development you know why would I rewrite this thing why reinvent the wheel if somebody else has already done it and

they've posted in a github and I'll just call it from there what could go wrong right well we'll talk about that but everybody that's ever done this you know for whatever reason they give their given themselves high fives right they really think this is a great idea hey we just saved time hey we're tracking our users hey we don't have to do this stuff ourselves anymore so high fives all around for everybody right so let's talk about mage Kart so mage Kart is a loose term really defining a group of threat actors who are using this kind of stuff to steal data from from websites their techniques and motives are a little different but the goals are the same

take control of the user's browser scrape whatever information is being typed in there and send it off to a domain that they control and I have to give a hat tip to risk IQ for their work here without what they've done this talk would not be possible they really brought mage cart delight and you know this thanks all goes to them all I'm doing is telling you what they already told everybody so what are they after initially it was credit card data they started out just you know getting into the users browser and looking for credit cards as they were being typed you know think of it as you know like a key logger that's just skimming data right

out of the checkout page where people are putting their credit card number and their name and all that stuff then they started going after PII which of course why wouldn't you that's very valuable stuff too and the same same sort of thing a skimmer key logger that's running in the in the browser then they started taking login credentials and that works right why wouldn't she if you have control over the keyboard why wouldn't you take a username and password it's really anything valuable that submitted vo form that's what they're after so how did they do it there's a few different ways one is to compromise a third party whose job JavaScript tags are called out to thousands and

thousands of customers and another way was is to actually compromise the website and then tamper with the JavaScript that's already on that website ultimately they're using their own JavaScript to send the data to a domain that they control and then profit right got a bunch of credit cards now go have fun so we'll talk about some of the breaches Ticketmaster those guys lost many millions something like 30 million credit cards and it was due to a third-party integration yeah I believe that the the integration they provided like a little pop-up window that said hey it looks like you're having a hard time ordering tickets do you need some help you know and that's actually coming

from a third party of course and that that little JavaScript that did that little trick had some code in there that said okay when we get to the checkout page as the person starts typing you start scraping that data and send it off to this domain that we've registered and nobody's paying attention to then there was British Airways now British Airways was a little different because they actually compromised British Airways site and of course they didn't come clean on how that happened but obviously there was some vulnerability in the website the bad guys exploited it and they were able to replace JavaScript code that was already on British Airways site with their own and they used that too

put their skimming keylogging code into the browser started out you know after those two came out that you know maybe we've had about 8,000 or so ecommerce deployments that were affected but then as risk got you dug deeper ended up more in the twenty thousand range and you know it was all ended up because the a lot of these third parties were compromised and these third parties had thousands and thousands of customers so all of those ecommerce sites were ultimately compromised some other types of attacks that can happen via third-party JavaScript crypto mining which gentleman before me was just talking about so if I'm a bad guy and I can put JavaScript in your browser I can

put a coin miner in there and your computer is now doing work for me and thank you for your CPU cycles that is turning into real money ad where's another one to be able to insert maybe popup ads for a competitor which would be not good for us I don't want you going to Amazon if if you're shopping at Dick's Sporting Goods right and click jacking is another common situation where they're just trying to you know take steal your clicks and send you somewhere else so none of this is fine it's more like the the rolling dumpster fire and you know it all came really quick so you know this has evolved over the last year maybe a year and a half

and it's it seems to be continuing so let's talk about what you can do to secure your site and that control is called a Content security policy so content security policy usually reserved referred to as a CSP it's essentially just an HTTP header that's sent from the server to the browser that defines which domains are trusted so which domains you're allowed to send data to if you have a good content security policy and a bad guy manages to get some bad JavaScript into the users browser the content security policy will prevent information from being sent to the dome that they control because the domain that they control isn't defined here this is the most basic content security

policy and it says well you can run JavaScript from yourself and that's it well that's not gonna help you with third-party JavaScript integrations because you haven't defined any domains with this one but I love this one because it's super super secure so some other directives so this is how you might define Google and then maybe a trusted partner and you say okay well you can run scripts from the server itself from anything in Google and from my trusted partner com now when you start getting into the wild card type situations that gets a little dicey because that could maybe mean you know Google storage location if that red github that could be problematic there was a story about a guy who had he an

attacker essentially took control over a github repository that can contain some code that a lot of people were using and the attacker just kind of asked the owner of the github repository hey I see that you're not doing any active development on this code anymore would you mind if I became the owner and the guy was just like oh yeah sure here you go and then the bad guy took over the the repo and did malicious things with it and affected a ton of sites so yeah don't just like implicitly trust github some other things so the frame ancestors this would essentially block clickjacking and that's actually like the same as x-frame options where you're defining

who's allowed to do frame popups and and you know don't let anybody else do it some additional directives you you also have some things around style sheets so you want to also define who's allowed to serve up style sheets to the site and this is how you do that and then some other ones include object source where you're talking about plugins image source for images media source for audio and video and thanks to my colleague Antonia and Araki go out there he mentioned this connect source where you're actually defining network level you can do things like IP addresses in there so super super helpful to be able to lock things down but the good news is we can go even

a little bit further because well what if one of my scripts got modified on my own website because my website was compromised well there's a thing called s RI and that stands for sub resource integrity and what it is is essentially a way for you to validate the integrity of a particular script using hashing algorithms so the server essentially sends the hash value for a particular script the hash is calculated on the client side and if things don't match up things don't execute if they do match up the script executes and you're good to go so it's a little difficult because as things as scripts change new versions come out that sort of stuff you know

that could be problematic because if you're not keeping up with those hash values sent from the server side then things are going to blow up but it definitely gives you a way to make sure that the script that you're expecting to run in the user's browser is the script that you originally intended to run this is what that looks like in code you know you could see this the integrity field and that is just going to be the hash value that the server's calculated and then again the client side is going to calculate that same hash value and match the two up and if they match code executes and we're good to go so the bad

guys are super sad because well data isn't going to be back to sent back to the servers that they control the scripts won't execute due to SR I clicks won't be jacked cryptos won't be mined redirects won't be redirected things will behave as you expected them to behave so this is kind of evolution of CSP for an organization you know you start off really kind of unev olve to know CSP and then you know you start to evolve a little bit you get a CSP and then eventually get CS p+ s RI and then ultimate is to have no JavaScript at all because javascript can be evil but of course that's never gonna happen so we might never get there so where do

you put it we can put it in the application itself but that's probably a little too far down the stack so it's probably a little better to put it at the web server late layer define it at the web server let the web server handle inserting the header or you could do that in a load balancer or reverse proxy so that way you're guaranteed that the header will always get sent no matter what and it's never actually gonna have to come from the web server itself it could also come from your content delivery network which is essentially you know a proxy anything that can insert the header just get that header in there so some challenges around this

technology the big one is maintenance so marketing teams tend to move very fast I know this firsthand they want to do things immediately right now and if they start inserting tags and they don't tell you about it the CSP isn't going to allow them to execute so you have to have somebody that's very in touch with what they're doing you know working with them side by side and if they're standing up a new domain that's that but the user browser needs to be talking out to you need to know that so the CSP can I be adjusted there's also the issue of tag piggybacking where a particular tag comes from an expected domain but then

there's a bunch of tags that that thing calls out to that you can't see necessarily in the initial call so you know you really need almost a map from your tag vendors to say okay we're gonna you're if you call this domain or if you're using this particular tag yes it's gonna go to the first domain and then it's going to go to subsequent domains to make sure that those are all defined in the CSP browser support is a challenge and boo ie 11 bad Microsoft doesn't do great with CSP and I'll show you what that looks like just tread carefully you can break things if you don't do this right if you don't test it

ahead of time you can cause some serious serious problems and potentially impact sales impact usability impact your job so this is a matrix that shows the the support for CSP the one at the top is is the latest version and you can see that Chrome and Firefox and Safari and edge are good to go but ie11 no dice does not support CSP same goes for CSP 1.0 so what IE supports is the actual header X content security policy now you would say okay well I'll just send both I'll send the content security policy header and I'll said the X content security header well that's a problem because some browsers if they see both they're not sure which

one to go with and they just give up and both break so it's almost like you have to write a detection routine that says if I'm dealing with this browser then I send this header if I'm dealing with IE 11 then I send this other header not ideal but as browsers die and that sort of thing hopefully this problem goes away so some tools for you the Google CSP evaluator is awesome it will tell you it will interpret a CSP from a particular website and give you all sorts of you know red marks or green marks or it will essentially interpret the CSP just as if Chrome would and that's very helpful from a testing standpoint you don't have

to do that yourself CSP evaluator will do that for you it's free CSP is awesome is another great site they actually help you build a CSP you simply put in the domains and the type of data that is being sent from those domains and it'll build a real nice pretty CSP for you and free as in beer report you URI is a similar kind of thing it has some testing and some csb building capabilities and I would say that the master of all this stuff is a guy named Scott helm he's out of the UK he's got some really awesome blog posts about this particular issue and some challenges that you'll run into with s RI and and those kind of things

so definitely check him out and all these resources can be accessed at this tiny GC so you know don't worry about having to Google too much you can just go there and I have links out to all this stuff so that was about 20 minutes does anybody have questions sir

yeah

yeah so the questions around unsafe inline which is a challenge it's where you have to define in the CSP year basically saying yes I'm going to have JavaScript inline in this page and your you must permit that so the the challenge is you know you're gonna ask you you have to ask your developers to not do that and to put the stuff outside you know the page and yeah it's a challenge for sure and and there are some commercial applications that that's just not possible because you're gonna have to go to like an IBM or some big company and ask you to do that it is a risk because same sort of situation if you have the an attacker who's able to

compromise the site and then modify those web pages specifically then that codes gonna run and that's regardless of what's in the CSP if you have unsafe inline but with it hat you need a code rewrite that's the only way that you can you can really do anything about that unfortunately anybody else Ryan

all right so you mentioned some challenges with implementing CSP it was just had it was curious if you were aware or knew of any plugins for like common content management systems like Joomla or it's the other one like Joomla like like those there any like plugins that help you with that I haven't seen anything like that specifically I know that there are some commercial vendors right now that are jumping on this because they smell money and I mean it's valid like you know it's difficult to have somebody it's difficult to have you know basically a full time seat resource laying around to modify CSP anytime marketing comes in so I do know of a couple vendors I'm not gonna name them

because I you know don't really know if their solutions are great or not but when you talk about it offline if you do some googling and look for tag governance you'll get pushed a bunch of ads via JavaScript and and they you know they are attempting to do things like automate the actual detection of which tags are being called and then to essentially create the CSP on the fly for you so it's they're working on it but this is all you know that it's funny because this is this stuff has been around forever you know and people have been doing it forever but suddenly you get a bunch of bad guys that start exploiting it and it's like oh I guess

we need a solution so we're a little bit behind the 8-ball there but there are some solutions out there great thank you anybody else okay well thank you very much if you want to reach out talk about some stuff a little more you know shoot the breeze you want to complain about JavaScript I'm all ears and thank you very much for coming I appreciate it [Applause]