19.07.21 3 Min read
Book a Demo
Last week, a researcher named RyotaK shared a clever supply chain vulnerability in Cloudflare’s highly popular hosted module called cdnjs, which runs on around 12% of all sites on the web. The module helps developers consume other popular packages and integrate them safely into their sites.
The vulnerability was in the cdnjs library update server and could have led to remote code execution on both Cloudflare’s servers and run malicious code on the scripts themselves which are consumed by all end users, bypassing WAFs and any other filtering mechanisms as it runs directly on the browser itself.
You can read a detailed description of the vulnerability here
3rd parties are becoming extremely common and most sites use them today. In this case, the attacker could use a supply-chain attack to modify 3rd party scripts. In other cases, like magecart (add link to something about magecart) – an attacker modified the script directly and injected code into the end users browsers.
Essentially, the cause and effect in both cases are the same: blindly running untrusted code on your end-users browsers.
These require some legwork, but are available freely:
In GlobalDots, we’re in a unique position to offer holistic web security solutions that prevent and intercept supply chain attacks, as well as other forms of web-borne attacks. Our solutions offer autonomous monitoring, detection and prevention of client side attacks.
While solutions differ in their modus operandi, the end result is the same: They allow you to monitor your end users’ requests and permissions, how your 3rd party scripts are run, and what they are allowed and not allowed to do, in <1 day deployment.
Your ideal solution depends on your business and risk profile. It’s our job to analyze them, implement the best choice, and configure it for utmost protection and flexibility at work.
Contact us for effortless, worriless security of your web assets.
Software supply chain security is an enormous concern for businesses today. According to a 2021 Argon cybersecurity report, software supply chain attacks increased threefold in 2021 compared to the previous year. The constant race of companies to do things faster while delivering a better, richer user experience adds a multitude of vulnerabilities to the supply […]
LastPass’ password management service has introduced millions of users to the convenience and security of unique passwords. Across mobile and browser, LastPass promises a near-passwordless experience for millions of individuals and over 100,000 businesses. However, recent news threatens to drop a bombshell on credential-based security. The Year-Long LastPass Dual Breach In August 2022, LastPass released […]
Properly implemented, a zero trust architecture provides much more granular and effective security than legacy security models. However, this is only true if a zero trust initiative is supported with the right tools. Legacy solutions, such as virtual private networks (VPNs), lack the capabilities necessary to implement a zero trust security strategy. Zero Trust Security is […]
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.