Original Post: How to detect Polyfill[.]io on a website | by RAVI SHANKAR | Jul, 2024
The author describes managing a platform hosting over 150 public websites and recounts dealing with the polyfill[.]io supply chain attack. Faced with the challenge of quickly assessing vulnerabilities, the author researched ways to scan source codes without waiting for individual responses from website admins and developers. Polyfill[.]io refers to a JavaScript library that helps older browsers support modern functionalities.
The author discovered OWASP ZAPit, a tool capable of scanning website source codes via a Command Line Interface (CLI), identifying the use of potentially harmful polyfill[.]io JavaScript libraries. Initially, the ZAPit tool only scanned the homepage, so the author further explored OWASP’s resources and found the ZAP Baseline scan, which can scan all inner pages of websites.
To address the scalability of the solution for numerous websites, the author identified a “mass-baseline.sh” script from the OWASP’s GitHub repository, allowing multiple website URLs to be processed simultaneously.
Finally, to proactively prevent future issues, the author integrated OWASP ZAP’s DAST tools into the CI/CD pipeline, ensuring that any use of polyfill[.]io libraries would be flagged during the development process.
Go here to read the Original Post