Subresource Integrity (SRI) implemented, but external scripts are loaded over http

By
Nash N Sulthan
Published on
19 Jun 2018
Vulnerability
SRI

Subresource Integrity (SRI) is a W3C recommendation to provide a method to protect website delivery. Sub resource Integrity (SRI) provides a mechanism to check integrity of the resource hosted by third parties interface plug-ins like Content Delivery Networks (CDNs) and verifies that the fetched resource has been delivered to the user without unexpected manipulation. This ensures these assets have not been compromised for hostile purposes. Subresource Integrity (SRI) implemented, but in this server the external scripts are loaded over HTTP.

Impact

An attacker can gain access to Content Delivery Networks and cause huge damage the application. If the attacker is one of the persons who had developed one of the CDN used by the application. He can gain access to your system by tweaking the content from CDN.

Mitigation / Precaution

  • It is recommended to implement Sub resource Integrity correctly.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment