
How I got XSS’d by my ad network - rubikscube
http://www.troyhunt.com/2015/07/how-i-got-xssd-by-my-ad-network.html
======
proactivesvcs
"When you allow third parties to run script on your site, you’re entirely
beholden to them; they can run anything they like in the context of your site"

I've seen a fair few Internet banking web sites pulling scripts from over a
dozen third parties, mostly for tracking and advertising, but even for trivial
things like social media. On their customer login pages. It's beyond me how
they can consider this to be an acceptable risk.

~~~
leni536
I wonder how many websites' users would be compromised if code.jquery.com got
hacked.

~~~
nly
I've been saying this for years. It's not even just security: you're also
potentially leaking all your visitor stats to a third party (IP, user agent,
the pages they visit (via the Referer)), and effectively giving jquery.com a
third party supercookie over thousands of domains.

I surf with third party cookies and referers (via RefControl) disabled, and
these should be the defaults

~~~
danielweber
I've been called an idiot (even here on HN) for being paranoid about loading
scripts from all over the web. I think it's a losing battle and my side is
going the way of the dinosaurs.

~~~
bsilvereagle
As tools like uBlock and uMatrix get widespread adoption more and more people
are realizing how much extraneous junk is being loaded by webpages. I think
your side is slowly but surely gaining followers.

~~~
jdmichal
I use uMatrix, and I have already whitelisted loading scripts from common CDNs
as global rules. They're everywhere and I found myself just constantly
whitelisting them anyway.

The trend for a long time was to cite using a CDN as a best practice, but no
one ever calls out the downsides when making such statements. In this case,
you lose control of the code and allow third-party access to your users'
browsers.

~~~
nly
To be fair, it has some positives: like said CDN being able to patch
somelib.js to fix a security issue and thereby protect thousands of sites at
once.

At the moment though, proposed solutions to trusting third parties with your
Javascript, like the W3C proposal to put cryptographic hashes in to your
<script> tags etc, don't even consider these potential positives. So we're
likely going to end up with the worst of both worlds.

If anything this is just enough facet of the weakness of the web as an app
platform (Real solution: all sites serving client side libs should use package
management, scripts should be digitally signed by the authors). As it stands
it's far too common for people to just unzip WordPress or whatever in to their
docroot, and so server-side code doesn't even get updated, let alone client-
side code.

------
nicboobees
If you're going to put adverts on your site, always put them within an iframe,
pointed at a separate "adverts" only domain. This will ensure they can't
execute javascript within your own website context.

~~~
waffle_ss
Unfortunately it looks like you aren't supposed to do that with Google
AdSense:
[https://support.google.com/adsense/answer/3394713](https://support.google.com/adsense/answer/3394713)

> _Is it violating program policy if I place ads on iframe webpages in my
> software?_

> _Yes, it does violate our policies. Firstly, you’re not allowed to place ads
> in a frame within another page. Exceptions to our policies are permitted
> only with authorization from Google for the valid use of iframes. Secondly,
> you’re not allowed to put ads in your software, e.g., if you control both a
> website with ads and an app that loads that website, we will take action
> against it._

~~~
nicboobees
Yeah adsense is amongst the most restrictive products out there, and the one
without any support etc. Wouldn't recommend it.

Talking of which, where are the startups challenging adsense's dominance?

------
jon-wood
The throw away comment on how ad networks are a cesspit at the end of that
article really spoke to me - if it weren't for the abundance of "Recommended
Stories" and "From elsewhere on the web" crap selling weight loss pills and
click bait I'd be far less inclined to run with an ad blocker.

The fact that these ads disguise themselves as content that the site owner is
recommending is particularly insidious, since it will likely encourage people
to click through thinking that they can trust the content.

------
myfonj
In retrospect it seems he could have saved himself a Fiddler session if he
just opened console debugger in browser and used
`?"-(function(){debugger}())-"` in URL instead of `?"-prompt()-"`. (I would
not have guessed this either, but may come handy next time.)

~~~
pavel_lishin
Well, that's handy.

------
cm2187
This is why browsers should have an option "Block third party javascript"
similar to "Block third party cookies".

With http2, relevant javascript files will be increasingly hosted on the same
domain anyway and that option would become increasingly relevant.

~~~
micro-ram
Blocking third party JS does not help me offload the libraries to a CDN (ex.
cdnjs.com) to save server bandwidth.

~~~
jerf
It's 2015, though, not 1996. If you seriously can't afford to send your
visitor a few-dozen-kilobyte file once in a blue moon (because you _do_ have
far-future expire dates, right?), you've got bigger problems than CDN'ing your
jQuery is going to solve.

If you're serving megabytes of JS such that that is enough to matter... no,
it's still true, if that's not sustainable you've got bigger problems than a
CDN is going to solve. Even on _very_ JS-heavy sites, the amount of your
bandwidth taken up by JS shouldn't be that large on a properly-configured
site. (Yes, I can construct some rare exceptions... you've got a demo site for
WebGL and your average viewer hits you once with no cache, grabs megabytes of
JS and textures, then moves on never to return. But they are _rare_ , even if
you can construct them in your head.)

------
teh_klev
I've resisted using an ad-blocker for years because I'm happy for the sites I
visit daily to earn revenue that way, and for many it's the only way they can.
I limited myself to running Privacy badger and blocking Facebook/Twitter
tracking cookies, that kinda thing.

But this is the straw that's broken my camel's back and it spoils things for
those of us who don't mind a few ads here and there. uBlock now installed, sod
the ad networks.

~~~
danielweber
Wouldn't it be better to disable third-party scripts?

~~~
pwenzel
In this particular case, Ghostery would be suitable over uBlock.

(I run both)

------
mrweasel
Whenever I talk to people who work for ad networks or similar companies, I'm,
without fail, impressed by how little technical knowledge they possess. If you
work for a company that sells internet services, you should at least have some
basic understanding of how the internet works.

------
0x0
What a shame he didn't actually pull the plug on the ad network :(

------
pki
as far as i can tell, adsafeprotected isn't actually for your or your
visitors' protection, but for the advertisers (it seems to run a huge gob of
incredibly slow scripts to "ensure" visibility, that there is actually an
eyeball on the ad and that it's not hidden or collapsed or something)

------
mahouse
What alternatives are there anyway?

I wonder what could be done to serve 3rd-party ads, making sure they can't
hinder the experience of the users of the webpage.

Is this just laziness from those ad networks, or do we currently have the
tools to counter this?

------
andersonmvd
That's called Malvertising :P

