
Injection of malicious code into jQuery is increasing - lelf
http://blog.spiderlabs.com/2014/01/beware-bats-hide-in-your-jquery-.html
======
ben336
This piece doesn't seem to make any distinction between jQuery core, and
jQuery plugins. If the lesson is "don't just stick random 3rd party scripts
onto your site" then thats obviously good advice. If it's "don't trust jQuery,
it might be dangerous", then I think they're just scaremongering.

~~~
wtracy
What seems to be happening is that someone's server gets compromised, and the
attacker uploads malicious JavaScript to attack the site's visitors. Of
course, a competent admin will reverse these changes as soon as they are
detected. So, attackers have started modifying _the copy of jQuery that 's
already deployed on that server_ to insert malicious code, as the developer is
unlikely to notice or overwrite changes to that file.

So, the message is "don't trust _anything_ on your server if it might have
been compromised". :-)

~~~
scottcanoni
And this would be a reason to use a trusted CDN location for serving your
jQuery library.

~~~
billyhoffman
Actually, these shared "JavaScript CDNs" actually slow down your site.

[http://zoompf.com/blog/2010/01/should-you-use-javascript-
lib...](http://zoompf.com/blog/2010/01/should-you-use-javascript-library-cdns)
[http://statichtml.com/2011/google-ajax-libraries-
caching.htm...](http://statichtml.com/2011/google-ajax-libraries-caching.html)

tl;dr: the URLs are too fragmented to get cache hits for commonly used shared
libraries, so you end up having to do a DNS lookup and download them over a
cold TCP/HTTP connection. This is slower than simply serving the 20-30KB of
data directly from you own site.

Update even more recent stats from 2013. The Html5 boiler plate project
decided against shared JavaScript CDNs:
[https://github.com/h5bp/html5-boilerplate/pull/1327](https://github.com/h5bp/html5-boilerplate/pull/1327)

~~~
talklittle
_The Html5 boiler plate project decided against shared JavaScript
CDNs:[https://github.com/h5bp/html5-boilerplate/pull/1327](https://github.com/h5bp/html5-boilerplate/pull/1327)
_

No. If you jump to the end of the long discussion, the last comment says:

 _I 'm sure there will be a similar discussion in the near future (especially
as things such as SPDY / HTTP 2.0 get more traction), but for the time being,
we'll stick with the CDN._

------
michaldudek
I don't think the author has a clue of what they are writing about...

"In this case, speed and efficiency have higher priority than human
readability, therefore jQuery includes only essential features to keep the
code tight and focused by using minimal variable and function names, minimal
use of spaces, no comments, etc."

Someone mixing library purpose with minification process.

And I bet that all those infected scripts come from one infected website.
They're not out there in the wild spreading through all jQuery installations
and all jQuery plugins.

~~~
at-fates-hands
>>> And I bet that all those infected scripts come from one infected website.

Or one platform - Wordpress.

"Checkmarx, makers of an automated code review solution, recently looked at
the top 50 plugins for WordPress examining them for vulnerabilities. Their
analysis, published here, found 20% of the top 50 were vulnerable to the most
common web attacks. Even more frightening, 7 out of 10 of the leading
ecommerce plugins were vulnerable."

"To put this in perspective, this means that vulnerable plugins were
downloaded to install in websites about 8 million times!"

[http://www.networkworld.com/community/blog/7-10-leading-
word...](http://www.networkworld.com/community/blog/7-10-leading-wordpress-
plugins-are-vulnerable)

------
IgorPartola
I am confused. Is this saying that library authors are accepting pull request
with malicious code, or that if you compromise a site, a good place to stick
your malicious code is into a jQuery plugin library?

------
eCa
That graph is _really_ bad.

"Infected jquery files, november: -26.6%"

~~~
cheald
I presume that's percentage change from August as a baseline.

(The title is still awful)

------
lettertomemphis
I do appreciate that this article points out that malicious attacks may come
from compromised jQuery files, but this is poorly written.

------
rwhitman
Are there any other more credible sources of reporting on this? Not only is
the article very vague and alarmist but it also ends with a call to action to
buy security audit software from the author's company, which makes me pretty
skeptical...

------
abimaelmartell
ehh??

