Over the past several weeks, I’ve learned more about the supply chain for household items than I’d ever have cared to know. Who knew that the supply chain for toilet paper was so fragile?!
Those of us who focus on defending web applications are increasingly turning our attention to the supply chain that makes up modern web applications. Following a string of fraudsters pilfering payment details in payment skimming attacks, the Payment Card Industry (PCI) has raised awareness of these risks by issuing a series of warnings and educational webinars on the topic. We have repeatedly seen attackers gain control of first or third-party JavaScript running on websites to pull off these attacks.
In a recent study of web traffic, researchers at Akamai discovered that 67% of content on the average website is delivered by a third-party. It isn’t surprising that attackers have turned their attention to the supply chain for web applications, since it now has critical mass.
Trends in development suggest that the share of content sourced from third parties will only grow over time as website owners look for faster, cheaper ways to introduce new functionality.
Attackers can also achieve greater yields if they can compromise a provider of third-party JavaScript as it could potentially give them access to trusted JavaScript running on hundreds, or even thousands of websites.
Not only are these attacks growing in frequency, but attackers are drawing inspiration from techniques previously observed in endpoint malware evasion. The Pipka strain of malware discovered by Visa’s fraud team demonstrated the capability to remove itself from the .html once it has executed. This type of technique is common in malware observed in corporate networks, but is novel for malware embedded in website JavaScript.
Attackers have also been observed employing domain generation algorithms (DGA) for the command and control (C2) component of formjacking attacks, another example of borrowing a technique long observed in desktop malware. The DGA has the impact of making static blacklists of C2 infrastructure less useful. The ongoing evasions are to be expected and will continue to challenge web defenders.
Web application security teams don’t have the luxury of stopping developers and the business from leveraging all the innovative widgets, marketing enablement tooling, and other features that these third parties provide. These tools are effective at improving the user experience and helping the business gather valuable analytics, so it is a risk that will need to be managed.
The sheer number of providers whose JavaScript may be injected to the user experience, and the frequency with which their code changes, make a traditional point in time third-party vendor management approach a difficult way to manage this risk.
In a 90-day study of more than 100,000 JavaScript calls detected by Akamai’s CDN, only 25% were still observed in the final week of the quarter - basically indicating that 75% of all JavaScript will turnover in less than 90 days.
Existing web application defenses struggle to detect this class of attacks. Tooling deployed on the web server, a Web Application Firewall (WAF), or a reverse proxy is unable to inspect calls from the browser to a third-party domain. Capabilities like Content Security Policy (CSP), something most web defenders know as a tool for combating Cross-Site Scripting (XSS), could theoretically help manage this risk. CSP allows web defenders to send a directive from the web application, or a reverse proxy, to the browser indicating which domains the browser should trust for a given web page.
As web applications become more dependent on dynamic third-party content, it has become more challenging to maintain a whitelist of trusted domains. As CSP has been a part of a web defender’s toolkit for more than ten years, perhaps this complexity is one reason aggressive CSP policy is seldom implemented.
Other challenges with using CSP to combat these attacks is the fact domain-level whitelists can be quite broad if CDN’s or CSP storage domains are included. That can result in the opening of a wide aperture an adversary could exploit.
As attackers targeting the expansive attack surface presented by the modern web application’s supply chain continue the inevitable progression of evasions, new techniques will be required to detect these attacks. Fortunately, for web defenders, many of these evasive techniques have been observed before in desktop malware.
As adversaries in this space introduce a technique like DGA to evade static blacklists during exfiltration or command and control, defenders can leverage the significant research into detecting DGA’s from the corporate malware. Similarly, as we observe evasion methodologies such as anti-forensics (as seen in Pipka), defenders can also draw inspiration from techniques that have been effective in endpoint malware.