Battling MageCart: The Risks of Third-Party Scripts - Kevin Gennuso

KEVIN GENNUSO Magecart made the news in 2018 due to the huge number of e-commerce websites those groups were able to compromise. The various groups' methods were dissimilar, but their underlying goal was the same: stealing information submitted via web forms. This talk will focus on the risks of using third-party scripts on web sites and how to wrap protections around them. I'll do a high-level overview of Magecart and why they are able to do what they do. I'll then move into protecting against malicious scripts using Content Security Policy and Subresource Integrity. The talk will be relatively high-level, but there will be some technical discussion around JavaScript, HTTP headers, and browser hijacking. Kevin is Sr. Infosec Architect at DICK'S Sporting Goods and a Pittsburgh native. Kevin has helped companies around the city secure their environments for over 20 years. Proud owner of a Black and Gold Badge and an FBI-issued Terrible Towel, he enjoys sharing knowledge at infosec conferences large and small.