What your login success rate says about your threat surface

One of the problems with imitation attacks such as sophisticated credential stuffing is that they are designed to blend in with legitimate traffic. How can you measure something that you can’t detect? Fear-mongering marketing compounds this problem and makes everything sound like a snake-oil solution for a problem people don’t ... Read More

ES2019 features coming to JavaScript (starring us!)

| | Browsers, Shape Engineering
Shape Security has been contributing actively to TC39 and other standards bodies for the past 4 years but this year is special for us. A significant portion of the features coming to JavaScript as part of the 2019 update are from Shape Security engineers! Shape contributes to standards bodies to ... Read More
Reverse Engineering JS by example

Reverse Engineering JS by example

| | Security Trends
flatmap-stream payload A In November, the npm package event-stream was exploited via a malicious dependency, flatmap-stream. The whole ordeal was written up here and the focus of this post is to use it as a case study for reverse engineering JavaScript. The 3 payloads associated with flatmap-stream are simple enough ... Read More
Screen Shot 2018-09-13 at 10.46.26 AM

Intercepting and Modifying responses with Chrome via the Devtools Protocol

| | Shape Engineering
At Shape we come across many sketchy pieces of JavaScript. As part of our everyday routine, we dive into them head first to understand what they’re doing and how. The scripts might be maliciously injected into pages, they might be sent by a customer for advice, or our security teams ... Read More