Subresource Integrity (SRI) is not implemented, and external scripts are not loaded securely

By
Manieendar Mohan
Published on
19 Jun 2018
1 min read
Vulnerability
SRI

Subresource Integrity (SRI) provides a method to protect website delivery. It provides a mechanism to check the integrity of the resource hosted by third parties interface plug-ins. The plug-ins might include Content Delivery Networks (CDNs). This method verifies if the fetched resource has been delivered to the user without unexpected manipulation. This method ensures these assets have not been compromised for hostile purposes. SubResource Integrity cannot mitigate all risks in the application. A 3rd party javascript could access information from the end-users. Subresource integrity was introduced by scan and verify fetched files. An integrity value starts with at least one string. Each string contains a prefix that indicates hash algorithm. An integrity value may have multiple hashes, separated by whitespaces.

Example

The below code is an example of integrity string with base64-encoded sha384 hash.

        sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wq4JwY8wC

    

Impact

An attacker can gain access to Content Delivery Networks and cause huge damage to the application. If the attacker is one of the persons who had developed one of the CDN used by the application. He can gain access to your system by tweaking the content from CDN.

Mitigation / Precaution

Beagle recommends the following:-

  • Implement Sub resource integrity properly.
  • Load external URLs via HTTPS
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment