The Bad Guys Win - Analysis of Magecart Vulnerabilities

Explore an in-depth analysis of 10,000 Magecart vulnerabilities in this 37-minute Black Hat conference talk. Delve into the world of digital supply-chain attacks, examining how hackers compromise third-party Javascript code to steal information from web applications and websites. Gain insights into the extensive research conducted over two years, monitoring web vulnerabilities and methods to abuse third-party scripts while bypassing defense mechanisms. Discover the alarming statistics of vulnerable assets across various sectors, including governments and global enterprises. Learn about the "careful hacker" threat model, enterprise challenges, and anti-Magecart solutions. Uncover techniques used to bypass script monitoring and client-side solutions, as well as the exploitation of browser native mechanisms. Examine the Trusted-Source Injection (TSI) attack and scriptless Magecart attacks. Conclude with a summary of the ongoing battle between enterprises and hackers, and explore potential solutions to combat these sophisticated threats.