By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
WordPressNews.orgWordPressNews.org
Aa
  • Home
  • Security
  • Themes
  • Plugins
  • CDN
  • Hosting
  • WooCommerce
  • SEO
Reading: Making Page Shield malicious code alerts more actionable
WordPressNews.orgWordPressNews.org
Aa
  • Bussiness
  • The Escapist
  • Entertainment
  • Science
  • Technology
  • Insider
Search
  • Home
  • Security
  • Themes
  • Plugins
  • CDN
  • Hosting
  • WooCommerce
  • SEO
Have an existing account? Sign In
Follow US
© Foxiz News Network. Ruby Design Company. All Rights Reserved.
Making Page Shield malicious code alerts more actionable
CDN

Making Page Shield malicious code alerts more actionable

Last updated: 2022/07/18 at 12:37 AM
By Info Feed 8 Min Read
Share
SHARE
Making Page Shield malicious code alerts more actionable

Making Page Shield malicious code alerts more actionable

Last year during CIO week, we announced Page Shield in general availability. Today, we talk about improvements we’ve made to help Page Shield users focus on the highest impact scripts and get more value out of the product. In this post we go over improvements to script status, metadata and categorization.

Contents
What is Page Shield?Script statusScript metadata in alertsWhat’s next?

What is Page Shield?

Page Shield protects website owners and visitors against malicious 3rd party JavaScript. JavaScript can be leveraged in a number of malicious ways: browser-side crypto mining, data exfiltration and malware injection to mention a few.

For example a single hijacked JavaScript can expose millions of user’s credit card details across a range of websites to a malicious actor. The bad actor would scrape details by leveraging a compromised JavaScript library, skimming inputs to a form and exfiltrating this to a 3rd party endpoint under their control.

Today Page Shield partially relies on Content Security Policies (CSP), a browser native framework that can be used to control and gain visibility of which scripts are allowed to load on pages (while also reporting on any violations). We use these violation reports to provide detailed information in the Cloudflare dashboard regarding scripts being loaded by end-user browsers.

More Read

Thank you, 1 million bunnies!
Thank you, 1 million bunnies!
Cloudflare Support Portal gets an overhaul
Crawler Hints supports Microsoft’s IndexNow in helping users find new content

Page Shield users, via the dashboard, can see which scripts are active on their website and on which pages. Users can be alerted in case a script performs malicious activity, and monitor code changes of the script.

Script status

To help identify malicious scripts, and make it easier to take action on live threats, we have introduced a status field.

When going to the Page Shield dashboard, the customer will now only see scripts with a status of active. Active scripts are those that were seen in the last seven days and didn’t get served through the “cdn-cgi” endpoint (which is managed by Cloudflare).

We also introduced other statuses:

  • infrequent scripts are scripts that have only been seen in a negligible amount of CSP reports over a period of time. They normally indicate a single user’s browser using a compromised browser extension. The goal of this status is to reduce noise caused by browser plugins that inject their JavaScript in the HTML.
  • inactive scripts are those that have not been reported for seven days and therefore have likely since been removed or replaced.
  • cdn-cgi are scripts served from the ‘/cdn-cgi/’ endpoint which is managed by Cloudflare. These scripts are related to Cloudflare products like our analytics or Bot Management features. Cloudflare closely monitors these scripts, they are fairly static, so they shouldn’t require close monitoring by a customer and therefore are hidden by default unless our detections find anything suspicious.

If the customer wishes to see the full list of scripts including the non-active scripts they can still do so by clicking ‘All scripts’.

Making Page Shield malicious code alerts more actionable

Script metadata in alerts

Customers that opt into the enterprise add-on version of Page Shield can also choose to set up notifications for malicious scripts. In the previous version, we offered the script URL, first seen on and last seen on data. These alerts have been revamped to improve the experience for security analysts. Our goal is to provide all data a security analyst would manually look-up in order to validate a script. With this update we’ve made a significant step in that direction through using insights delivered by Cloudflare Radar.

At the top of the email alert you will now find where the script was seen along with other information regarding when the script was seen and the full URL (not clickable for security purposes).

As part of the enterprise add-on version of Page Shield we review the scripts through a custom machine learning classifier and a range of domain and URL threat feeds. A very common question with any machine learning scoring system is “why did it score the way it scored”. Because of this, the machine learning score generated by our system has now been split up to show the components that made up the score; currently: obfuscation and data exfiltration values. This should help to improve the ability for a customer to review a script in case of a false positive.

Threat feeds can be very helpful in detecting new attack styles that our classifier hasn’t been trained for yet. Some of these feeds offer us a range of categories of malicious endpoints such as ‘malware’, ‘spyware’ or ‘phishing’. Our enterprise add-on customers will now be able to see the categorization in our alerts (as shown above) and on the dashboard. The goal is to provide more context on why a script is considered malicious.

We also now provide information on script changes along with the “malicious code score” for each version.

Making Page Shield malicious code alerts more actionable

Right below the most essential information we have added WHOIS information on the party domain that is providing the script. In some cases the registrar may hide relevant information such as the organization’s name, however, information on the date of registration and expiration can be very useful in detecting unexpected changes in ownership. For example, we often see malicious scripts being hosted under newly registered domains.

Making Page Shield malicious code alerts more actionable

We also now offer details regarding the SSL certificates issued for this domain through certificate transparency monitoring. This can be useful in detecting a potential take over. For example, if a 3rd party script endpoint usually uses a Digicert certificate, but recently a Let’s Encrypt certificate has been issued this could be an indicator that another party is trying to take over the domain.

Making Page Shield malicious code alerts more actionable

Last but not least, we have improved our dashboard link to take users directly to the specific script details page provided by the Page Shield UI.

What’s next?

There are many ways to perform malicious activity through JavaScript. Because of this it is important that we build attack type specific detection mechanisms as well as overarching tools that will help detect anomalies. We are currently building a new component purpose built to look for signs of malicious intent in data endpoints by leveraging the connect-src CSP directive. The goal is to improve the accuracy of our Magecart-style attack detection.

We are also working on providing the ability to generate CSP policies directly through Page Shield making it easy to perform positive blocking and maintain rules over time.

Another feature we are working on is offering the ability to block scripts from accessing a user’s webcam, microphone or location through a single click.

More about this in future blog posts. Many more features to come!

You Might Also Like

Thank you, 1 million bunnies!

Cloudflare Support Portal gets an overhaul

Crawler Hints supports Microsoft’s IndexNow in helping users find new content

Share this Article
Facebook Twitter Email Copy Link Print
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow US

Find US on Social Medias
Facebook Like
Twitter Follow
Youtube Subscribe
Telegram Follow

Weekly Newsletter

Subscribe to our newsletter to get our newest articles instantly!

[mc4wp_form]
- Advertisement -
Ad image

Popular News

WP Engine Unveils New Limerick Office Hub for Support & Engineering

By Info Feed August 11, 2022
Get The Latest Resto Skin With a 30% Discount
Google announces 4 new features for Discovery ad users
New Artist Skin & 30% OFF
3 Best Voice Search Plugins for WordPress
Global Coronavirus Cases

Confirmed

594.18M

Death

6.45M

More Information:Covid-19 Statistics

More Popular from Foxiz

Security

The Cybersecurity CIA Triad: What You Need to Know as a WordPress Site Owner

By Info Feed 17 Min Read

Cross-Site Scripting Vulnerability In Download Manager Plugin

By Info Feed

8 UX Design Tips: How to Balance Visual Aesthetic and User Experience in Web Design

By Info Feed 0 Min Read
- Advertisement -
Ad image
Security

Top Five Attacking IPs This Month: Their Locations May Not Be Where You Think

At Wordfence, we see large amounts of threat actor data, and often that data tells unexpected…

By Info Feed
Security

Top Five Attacking IPs This Month: Their Locations May Not Be Where You Think

At Wordfence, we see large amounts of threat actor data, and often that data tells unexpected…

By Info Feed
Security

Cross-Site Scripting Vulnerability In Download Manager Plugin

On May 30, 2022, Security Researcher Rafie Muhammad reported a reflected Cross-Site Scripting (XSS) vulnerability to…

By Info Feed
Security

The Cybersecurity CIA Triad: What You Need to Know as a WordPress Site Owner

One of the core concepts of cybersecurity is known as the CIA Triad. There are three…

By Info Feed
Security

Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes

On April 5, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a…

By Info Feed
wordpressnews-logo-120-60

#1 Spot for Wordpress News and Tools

Categories

  • Home
  • Security
  • Themes
  • Plugins
  • CDN
  • Hosting
  • WooCommerce
  • SEO

Quick Links

  • Under Construction

© WordPressNews.org All Rights Reserved.

Removed from reading list

Undo
Welcome Back!

Sign in to your account

Lost your password?