We trust that the web application code executed inside the browser is exactly the code that was sent by our application servers, but that is often not the case. The reality is that current WebApps are very susceptible to client-side injections and tampering. This can be performed by malicious extensions, Man-in-the-Browser trojans, or any kind of injection attack (e.g. reflected XSS).

These attacks are very concerning not only because they change the behavior of the webpage right on the website that the user trusts, but can also be used to leak sensitive information that the webpage has access to. All of this, without the web application owner knowing anything about it.

In this talk, based in our work, we demo a new set of techniques that can be used to monitor a webpage for malicious modifications (DOM-tampering, code injection, event-hijacking, code poisoning, etc) and how to remove them in real-time. The techniques are a combination of recent browser features (such as Mutation Observers) and integrity checks from tamper-resistant JavaScript code running in the webpage.

Pedro Fortuna (Co-Founder and CTO at Jscrambler)
Pedro Fortuna is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade of experience researching and working in the application security area. He is a regular speaker at OWASP AppSec events and other cybersecurity conferences but also contributes on web development events. His research interests lie in the fields of Application Security, Reverse Engineering and Malware and Software Engineering. Author of several patents in application security.