OWASP Global AppSec Lisbon 2024

After years of innovation, it's become clear that the same features which propelled web applications to the forefront of software delivery are also their Achilles' heel in terms of vulnerability to supply chain attacks. This vulnerability arises from their highly composable nature, dynamically distributed code, and error-tolerant runtimes like browsers, which strive to execute code despite errors, such as syntax issues.


Today, our reliance on third-party dependencies is unprecedented, encompassing not only the software itself but also the development, build chains, and various tools designed to enhance software development efficiency.

A significant portion of these dependencies includes scripts dynamically loaded from third-party servers. This approach allows script owners to update them unannounced, bypassing the website’s ability to validate script integrity using things like an Subresource Integrity (SRI), as file hash validation would break upon the first update.

What if these third-party hosts fail? Typically, browsers still attempt to run the web application, often resulting in numerous console errors unnoticed by users. This is a likely reason for the lax code maintenance observed in many websites, as their applications appear to function despite these underlying issues.


The risk escalates when script hosts are permanently shut down, often leaving their domains available for purchase. This scenario has recently been exploited by attackers, who acquire these domains to inject malicious scripts into websites still linked to the original URLs.


We caught one such attack, injecting malicious code into several websites. The extent of this threat was unknown until our threat hunting journey led to the discovery of over 1,000 compromised websites. This presentation will cover the full saga from detection to neutralization, including the various challenges faced and tools built and employed.

Post-incident, we expanded our research to investigate the prevalence of similar attacks. This led to extensive research and the development of a tool capable of scanning millions of websites for such vulnerabilities. We’ll present our findings. During our research, we also developed a free tool designed to alert website owners if they are using third-party scripts from defunct domains that may have fallen into malicious hands. We will introduce this tool to the community in our talk.