Launch HN: Enchanted Security, the virtual content security policy for websites
I'm excited to show you Enchanted Security (enchantedsecurity.com), a virtual content security policy for protecting websites!
There are various ways an attacker can get malicious JavaScript onto a website. Most everyone knows about XSS, but increasingly common is by compromising trusted scripts, either libraries you're using in your own code, code hosted on S3 without proper permissions, or third party scripts hosted by partner companies. You may be surprised by how easy this to a dedicated attacker - for example, many open source libraries on Github are not very well maintained. Once the attacker has JavaScript on your site, they can steal sensitive data like credit card numbers, passwords, crypto wallet keys, etc, sending it from the user's browser out to someplace they can access.
One popular type of malware, called Magecart, recently led to British Airways being hit with a record £183m fine for losing credit card numbers right off their checkout page.
There's something called a content security policy (CSP) header which websites are supposed to use to protect from various threats like these. However, it's really hard to set up and use properly. Companies are inadvertently breaking their site with it. And it can take many months or over a year to set up. Also, there are subtle holes in CSPs that a hacker can work around (e.g. if you whitelist Google Analytics, which most sites do, an attacker can create their own Google Analytics account, then use that for data exfiltration by sending data as custom events. This has actually been done in the wild by attackers. Enchanted Security can inspect payloads, so if you specify your site's Google Analytics tracking id, we can block all Google Analytics events to other tracking ids you don't control).
Enchanted Security adds some inline JavaScript to the <head> of your page that uses secure function interposition to interpose itself between the page code and browser functions (fetch, XMLHttpRequest, Image, etc). It then tracks these calls for backend processing and analysis. It also can block them if they appear malicious. Right now, we have a blacklist of known malicious domains, and we monitor for anomalies. We plan to use machine learning as well.
Is this something your company could use? If interested, get in touch through the contact form at https://enchantedsecurity.com/
1 comment
[ 4.4 ms ] story [ 13.5 ms ] thread