Real-time third-party code injection

The risk associated with inclusion of externally-hosted code on websites and how to mitigate it

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: Application Security | Penetration Testing

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’ve noticed a trend both on penetration tests and while browsing web sites in general that I find a bit concerning. Many web sites are including code directly from third parties over the Internet in their webpages. Certain services require you to include code that reaches out and connects to a third-party service. For example, if you integrate your site with Google Analytics to track website visitor statistics, you will most likely integrate a snippet of JavaScript from Google to do that. When your webpage loads, it will reach out and send some data over to Google.

It seems that in this age of cloud and APIs (Application Programming Interfaces), everything is connecting to everything. My question to you is this: How do you know that code you are downloading and including dynamically in your website is secure when you are downloading whatever is…