The Bad Guys Win - Analysis of Magecart Vulnerabilities

Explore an in-depth analysis of 10,000 Magecart vulnerabilities in this 37-minute Black Hat conference talk. Delve into the world of digital supply-chain attacks, examining how hackers compromise third-party Javascript code to steal information from web applications and websites. Gain insights into the extensive research conducted over two years, monitoring web vulnerabilities and methods to abuse third-party scripts while bypassing defense mechanisms. Discover the alarming statistics of vulnerable assets across various sectors, including governments and global enterprises. Learn about the "careful hacker" threat model, enterprise challenges, and anti-Magecart solutions. Uncover techniques used to bypass script monitoring and client-side solutions, as well as the exploitation of browser native mechanisms. Examine the Trusted-Source Injection (TSI) attack and scriptless Magecart attacks. Conclude with a summary of the ongoing battle between enterprises and hackers, and explore potential solutions to combat these sophisticated threats.

Intro
Background - Script Inclusion diagram
Magecart: Digital supply-chain attack
Statistics - The data
30,000+ vulnerable assets
Popularity of affected sites
Cross-sector
Steal information
Active abuse
Threat model - Careful hacker
The enterprise challenges
Anti-Magecart solutions
General notes about the careful hacker
General things that careful hackers do
Bypass script monitoring
Bypass client-side solutions
Use browser native mechanisms
Enterprise use of browser native mechanisms
The Trusted-Source Injection (TSI) attack
Scriptless Magecart attack
Summary table: Enterprise vs. Hackers
What could be done?