Do you know what’s running on your website?
A new report from security firm Dasient concludes that the majority of websites are running third-party JavaScript somewhere on their sites, which could be putting them at risk.
The Dasient report comes ahead of the company’s scheduled talk at the Black Hat security conference this week, where Dasient cofounder Neil Daswani is set to detail the problem and one potential solution.
[login]Dasient’s research demonstrated that the problem of third-party JavaScript usage is widespread. According to Dasient, 75 percent of websites use third-party JavaScript in some form, which represents a potential risk to their security.
Dasient found that the level of third-party JavaScript usage varies somewhat based on the market segment. For instance, 94 percent of high-tech vendors and 89 percent of financial institutions use widgets on their websites that were developed by third parties.
“Businesses need to realize that they are dependent on third parties in order for their sites to be secured and at the same time they don’t have direct control over those third-party resources,” Daswani told InternetNews.com.
Third-party JavaScript can take many different forms, ranging from ad server code to content widgets. The way that the JavaScript code is embedded within a website also varies.
“Third-party widgets either take form of third party JavaScript or third-party iFrames
Daswani believes that functionality has won out over security when it comes to modern website development. The challenge now is about how to mitigate the risk that the usage of third-party JavaScript resources may have on websites.
“The web is all interconnected and the amount of code being used from different places is also interconnected,” Daswani said. “As a result, it’s important for enterprises to mitigate their risk, and not necessarily by eliminating the third-party JavaScript, because that may not be possible from a business perspective.”
One solution to the issue is Dasient’s website malware monitoring service, which first debuted last year. Daswani will be speaking at Black Hat specifically about the architecture of the firm’s Mod anti-malware technology, which aims to help prevent malware infection on websites.
Browser vendors have also tried to help mitigate the risk through a number of different techniques. Multiple browser vendors including, Microsoft and Mozilla, have domain-origin policies for their browsers, which are intended to restrict the ability of third-party scripts to execute functions.
“The same origin and domain security policies that are used by the browser are indeed helpful,” Daswani said. “But there are still some problems.”
For example, Daswani said that if an iFrame is used that is pulling in third-party content, the origin policies would restrict the iFrame content from impacting anything else on the specific page. He added that while origin policies are helpful, if the iFrame were to pull in a malicious PDF that invoked the PDF plugin and triggered a buffer overflow, for instance, the attacker could still take control of the PC.
Other issues that can affect third-party JavaScript usage include the errant disclosure of information disclosure by way of a cross-site scripting (XSS) vulnerability. Daswani noted that in the case of data theft that’s a different threat than malware, which could be served via a third-party JavaScript widget.
“I’d love for Mod anti-malware to solve all the world’s problems, but at the same time I think it’s important to have different categories of defense coming from different places,” Daswani said. “It is important to look at website malware monitoring as part of a defense-in-depth strategy that works with other complementary services.”
Suggested Tags: malware, Dasient, Black Hat, security, JavaScript
