Hacking websites via third-party JavaScript libraries

That&#x27;s a risk every time you use a CDN. We used a CDN that f-ed up JS versions, breaking sites, had downtime, breaking sites... when ever you do use a CDN, be aware of everything that could go wrong, which is a lot... On the other hand, id you add hashes to the script references you load, you are a lot more secure, check out <a href="https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;docs&#x2F;Web&#x2F;Security&#x2F;Subresource_Integrity" rel="nofollow">https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;docs&#x2F;Web&#x2F;Security&#x2F;Subres...</a> if you use a CDN and would like to do so securely...

&gt; <i>The Tealium iQ Tag Management System service is used by many companies to organize tags on their websites.</i><p>Tag managers are the worst. They shouldn’t even exist. When a website uses a tag manager, it means the web devs have been forced to give marketing and every other department a backdoor to insert whatever vile abominations they want.

&gt; Each time a new table was generated, a new PHP file was created on the server. Using a hole in filtering of the input parameters for creating the PHP file, I was able to reproduce an RCE attack: a malicious request injected arbitrary PHP code into the generated file.<p>So this has nothing to do with the third party JS library itself, but with how the website&#x27;s backend stored the data generated by the frontend script. The developer could probably reproduce the hack with postman and doesn&#x27;t need the CDN hosted library at all.

A few ways out of these are:<p>- don&#x27;t eval on the server side (this is a bad idea most of the time anyway);<p>- serve js bundles from your own domain and set an appropriate content security policy;<p>These hacks won&#x27;t work then.

While I think SRI is a good tool to counter CDNs (with the correct deploying strategy, human-supervised semi-automatized SRI generation shall become trivial), there is a fundamental flaw with &quot;compiled&quot; aka obfuscated&#x2F;minimized javascript code: How do you, as an author, even know that it doesn&#x27;t contain malicious code in the first place? That&#x27;s the fundamental problem of using software written by other people: Except you can afford expensive code audits, you never know. I expect any security-related company (like Banks) to do these source code audits. But I doubt they do it.

Minimize JS use, serve the JS you use only from your own domains, run high security apps on dedicated domains with less JS and other external shit than your public marketing site, and use CSP.<p>I&#x27;d probably trust a single CDN (like cloudflare) with my own copies of all things I include more than I&#x27;d want to serve directly but use code from lots of different sources, but for something incredibly high security, I&#x27;d want end users to be talking directly to a secure server (maybe with tcp&#x2F;etc. layer proxies for ddos resistance and flow-level monitoring, but without decrypting).

In the first example, this guy goes and pops a (web)shell on Datatables.net. There&#x27;s no security policy, no bounty program, etc. for this site or its owner[2]. Generally I don&#x27;t believe it&#x27;s a good idea to go pwning businesses&#x27; servers that don&#x27;t give you some sort of permission to test. That&#x27;s some seriously dangerous business.<p>[2] <a href="https:&#x2F;&#x2F;sprymedia.co.uk&#x2F;" rel="nofollow">https:&#x2F;&#x2F;sprymedia.co.uk&#x2F;</a>

The fact that this was possible is a testament that web devs really have no concept of due diligence. Sad.<p>Imagine if running a native app on your computer would load random DLLs from servers. It boggles the mind.

I&#x27;d really like to see a web where developers stop `npm install`ing tons of dependencies, I really would!

Doesn&#x27;t surprise me that WA.gov.au is full of vulnerabilities.

SRI is such a cool idea (in theory) but the approach fails in practice. Also very few sites maintain a solid Content Security Policy (CSP). What&#x27;s the point of all these controls&#x2F;tools when nobody uses them?

I’ve come to the conclusion that the way to secure your website from third party JavaScript is to monitor everything happening on your site: <a href="https:&#x2F;&#x2F;enchantedsecurity.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;enchantedsecurity.com&#x2F;</a><p>These third party libraries are a necessary part of modern websites. It’s worth trusting but verifying their security.