logo
allArticlesConferencesPresentations

JavaScript Realms - The Blank Spot In Web Application Runtime Security

Conference:  Global AppSec Dublin 2023

2023-02-15

Authors:   Gal Weizman

Summary

The presentation discusses the importance of improving security and visibility in JavaScript Realms through third-party solutions. However, these solutions lack visibility into JavaScript Realms, which affects security.
  • Third-party solutions can assist in improving security and visibility in JavaScript applications
  • Behavioral overriding or monkey patching is used by third-party solutions to gain control over the application and runtime
  • However, these solutions lack visibility into JavaScript Realms, which affects security
  • Realms are ecosystems in which JavaScript plugins exist and have their own global execution environment
  • Improving security and visibility in Realms requires solutions that can provide visibility into Realms
The presenter demonstrated a live demo of how Snow, a third-party solution, can disable the alert function in a game. Snow ensures that same origin Realms cannot bypass its security measures. However, the presenter also encouraged the audience to try and bypass Snow's security measures as it would be helpful for the project.

Abstract

Due to the rise of dependencies based development, the JavaScript ecosystem (and the browser JavaScript ecosystem in particular) is far more vulnerable to the rising major problem we know as “supply chain attacks”.Therefore, many different supply chain security solutions were introduced to the industry as well, focusing on different ends of it, ranging from build time to runtime protection. However, runtime browser based protections usually lack a major component in their solutions, one that mostly leaves such solutions completely vulnerable, almost as if they were never there.Realms (aka iframes in the browser) is an ancient and legitimate concept that goes through a horrific spinoff in the context of bypassing browser based supply chain security attempts. And the worst part is that carrying out attacks is so easy with realms, but defending realms is so complicated.It's time to dive into the so important yet ignored layer in securing against unwanted code execution - it's time to talk about the JavaScript realms blank spot and its offensive/defensive security aspects. In this talk we'll understand what realms are, why they are so easily abused to bypass protections, why they are such an important and unregarded layer to secure and we'll also introduce SnowJS - the most advanced open source software for securing JavaScript realms.
Materials:
Tags:
JavaScript
Supply chain security
runtime protection
build time protection
realms

Post a comment

Related work

The Enemy Within: Modern Supply Chain Attacks

Conference:  BlackHat USA 2019
Authors:
2019-08-08

Learning from Supply Chain Failures and Best Practices in Other Industries

Conference:  Cloud Native SecurityCon North America 2023
Authors: Demian Ginther

What Role Do Package Registries Have in Securing the Supply Chain?

Conference:  SupplyChainSecurityCon 2022
Authors: Margaret Tucker, Justin Colannino
2022-06-22

What Makes A Build Reproducible?

Conference:  SupplyChainSecurityCon 2022
Authors: Rose Judge, Joshua Lock
2022-06-21

Untrusted Execution: Attacking the Cloud Native Supply Chain

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Andrew Martin
2022-10-26

Tutorial: Introduction to Supply Chain Choreography with Cartographer

Conference:  ContainerCon 2022
Authors: Corby Page, Cora Iberkleid
2022-06-23