Main Archive Page > Month Archives  > websecurity archives

Re: [WEB SECURITY] risks of hosting js files on CDN?

From: Daniel Papasian <daniel_at_nospam>
Date: Sun Nov 25 2007 - 12:46:23 GMT
To: joe@cyberlocksmith.com

Joe White wrote:
> in terms of best practices, isn't it fair to say that offloading js
> files to a CDN is a bad idea?

Well, I'm not sure that there are any specific risks to hosting javascript at a CDN that don't apply to third party javascript in general - but I suppose with akamai you could attempt some sort of cache poisoning if you compromise akamai's DNS, but from what I know about akamai it's probably much easier to compromise the victim's DNS and change how akamai resolves.

But, it's definitely a good idea, from a performance point of view, to serve your javascript via a lightweight static content delivery system, and not, say, apache with mod_perl or mod_php (or, depending on your application, to inline the js). But if you do so, which I think you should, you are in fact adding another attack vector - so choose your CDN or static content host wisely!

At my job we had a manager (he's gone now) who was very gung-ho about adding third party javascript to our site, but in part due to security concerns most of it has since been removed - the significant exception being google analytics, which tends to be on every page.

Clearly if you can get a bunch of computers to resolve www.google-analytics.com to a site under your control, via DNS spoofing or a hosts file manipulation, you've just gained quite a bit of power without having to work too hard to keep the victims from noticing (excepting in cases where the javascript is fetched via SSL)

So while my opinion is that 3rd-party js adds another attack vector and therefore should be avoided, if the third party is a domain under your control or specific to your site, then the added risk is close to negligible. Google analytics could be scary because compromising it would open up dozens of domains to XSS attacks, but your CDN or static content site being compromised or spoofed is probably no more likely than an active MITM.

Daniel Papasian

---

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

• This message: [ Message body ]
• Next message: Zapotek: "[WEB SECURITY] FIS [File Inclusion Scanner] v0.2"
• Previous message: Eric Rachner: "RE: [WEB SECURITY] risks of hosting js files on CDN?"
• In reply to: Joe White: "[WEB SECURITY] risks of hosting js files on CDN?"
• Next in thread: Sam Quigley: "Re: [WEB SECURITY] risks of hosting js files on CDN?"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]