Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Protecting a Website from Inadvertently Adding Malware

posted by martyb on Thursday January 11 2018, @11:20AM   Printer-friendly
from the telemetry-for-the-masses-r-us dept.

pkrasimirov writes:

An interesting read for web developers: how hard is to (not) add malware to your site? David Gilbertson tried to answer this question for node.js and npm but the approach is potent for other package-dependency hells as well.

The malicious code itself is very simple
[...]
Of course, when I first wrote this code, back in 2015, it was of no use at all sitting on my computer. I needed to get it out into the world. Out into your site.
[...]
XSS is too small scale, and really well protected against.

Chrome Extensions are too locked down.

Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.
[...]
People love pretty colours — it’s what separates us from dogs — so I wrote a package that lets you log to the console in a any colour. (sic)

I was excited at this point — I had a compelling package — but I didn’t want to wait around while people slowly discovered it and spread the word. So I set about making PRs to existing packages that added my colourful package to their dependencies.

I’ve now made several hundred PRs (various user accounts, no, none of them as “David Gilbertson”) to various frontend packages and their dependencies. “Hey, I’ve fixed issue x and also added some logging.”

Look ma, I’m contributing to open source!

There are a lot of sensible people out there that tell me they don’t want a new dependency, but that was to be expected, it’s a numbers game.
[...]

Of course it's all fiction written with a spicy pinch of nastiness but the described attack vectors seem all too real. What's your take on the matter? How do you hold the line there with all the dependencies which inevitably come (sooner or later) to a "professional" web site?

Or you can discuss it from user perspective. Have you tried Noscript with PayPal, Amazon, eBay etc. ?

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

Original Submission

 
This discussion has been archived. No new comments can be posted.
Protecting a Website from Inadvertently Adding Malware | Log In/Create an Account | Top | 28 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Informative) by TheRaven on Thursday January 11 2018, @05:30PM (8 children)

    by TheRaven (270) on Thursday January 11 2018, @05:30PM (#620990) Journal
    You don't need JavaScript for dynamic sizing with CSS 3. You can have CSS rules that are conditional on window size. % weights aren't adequate for small devices because 50% of a 15" monitor and 50% of a 4" mobile phone screen are very different in terms of their ability to contain a useful amount of text. You often want a different display for these. The optimal width for a line of text to maximise readability is 66 non-whitespace characters. Approximating that on a very small or desktop-sized window can't be done simply by saying x% of the width. Fortunately, CSS selectors do allow you to encode more complex constraints.

    I've also learned that you can show and hide elements in response to a click solely in CSS, which is currently the only thing I use JavaScript for. [codepen.io]

    Apparently CSS is now Turing complete [complex-systems.com], even in the absence of JavaScript, so I wonder if it will become another vector for malware.

    --
    sudo mod me up
    Starting Score:    1  point
    Moderation   +3  
       Informative=3, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 0) by Anonymous Coward on Thursday January 11 2018, @05:57PM

    by Anonymous Coward on Thursday January 11 2018, @05:57PM (#621001)

    > I've also learned that you can show and hide elements in response to a click solely in CSS, which is currently the only thing I use JavaScript for. [codepen.io]

    That's how it's implemented here on SN. I have JS disabled, but I can still show/hide comments by clicking on the +/- buttons. I remember it being discussed when it was implemented (IIRC, by TMB), so you could search site or even the SN codebase for it :)

  • (Score: 2, Interesting) by Anonymous Coward on Thursday January 11 2018, @06:28PM (4 children)

    by Anonymous Coward on Thursday January 11 2018, @06:28PM (#621020)

    Or better yet, have your server emit a different version of the site for /mobile/ and /desktop/. There's no reason for this to be done clientside at all. Trying these one-size-fits-all approaches is exactly why people resent modern UI design (metro, gnome3, chrome, placeo-chrome [nu-firefox]).

    • (Score: 0) by Anonymous Coward on Thursday January 11 2018, @06:33PM

      by Anonymous Coward on Thursday January 11 2018, @06:33PM (#621023)

      *placebo

    • (Score: 2) by tibman on Thursday January 11 2018, @07:22PM (2 children)

      by tibman (134) Subscriber Badge on Thursday January 11 2018, @07:22PM (#621047)

      That's still bad. Desktop isn't just one resolution. Mobile resolution also varies wildly. Input devices (touch, click) vary and some computers quickly convert into tablets and stuff. In my experience mobile sites have reduced functionality because the company has to basically build two UIs that work differently. I prefer responsive websites over mobile ones.

      --
      SN won't survive on lurkers alone. Write comments.

      • (Score: 0) by Anonymous Coward on Thursday January 11 2018, @07:34PM (1 child)

        by Anonymous Coward on Thursday January 11 2018, @07:34PM (#621053)

        The reply was more about % weights not being accurate enough for mobile. Why not do all that mobile specific checking in a mobile specific site and leave the desktop site the way they've always been done since the dawn of the internet.

        • (Score: 0) by Anonymous Coward on Thursday January 11 2018, @07:41PM

          by Anonymous Coward on Thursday January 11 2018, @07:41PM (#621056)

          PS: In regards to reduced functionality, these mobile/desktop amalgam sites more often than not reduce functionality for desktop users in ways that may not be apparent immediately, pretty much in the same way clusterfucks like metro and gnome3 do (the classic being tasks that needed 1 click in the original version now needing 3 to 4).

  • (Score: 3, Informative) by Arik on Thursday January 11 2018, @08:21PM (1 child)

    by Arik (4543) on Thursday January 11 2018, @08:21PM (#621067) Journal
    Layout tags break the paradigm, whether it's by inches or points or percentages it doesn't matter it's still missing the point. The web server does not know and is not supposed to know what sort of display device is being used, it doesn't know whether it even HAS  a screen, and it is not in any position to be making any sort of layout decisions whatsoever. That logic needs to be in the browser instead.
    --
    If laughter is the best medicine, who are the best doctors?

    • (Score: 2) by TheRaven on Saturday January 13 2018, @03:20PM

      by TheRaven (270) on Saturday January 13 2018, @03:20PM (#621819) Journal
      Nice idea. You write the browser that can take arbitrary structured data with no layout markup and present it attractively and then get back to me. Whether you like it or not, Google managed to push the world to HTML5 and away from XHTML2 so that the user agent couldn't tell content and adverts apart.
      --
      sudo mod me up