Sub-resource integrity is a security feature that allows a developer to ensure that resources hosted on 3rd party services like CDN (Content Delivery Networks) are delivered to the application without any modification. The sub-resource integrity helps to load content faster as different resources like scripts and stylesheets are hosted in CDN. The SRI achieves this goal by comparing the hash value of resources present in the web server and the resources in third-party services. If the CDN gets hacked by an attacker, the SRI protects the application from attacker’s malicious move to attack the application using cross-site scripting. Example
<script src="https://example.beaglesecurity.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
The above code tells the browser to check https://example.beaglesecurity.com/example-framework.js with the hash value. Same hash value proves that the values have not been changed.
Impact
An attacker can gain access to Content Delivery Networks and cause huge damage to the application. If the attacker is one of the persons who had developed one of the CDN used by the application. He can gain access to your system by tweaking the content from CDN.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Make sure to implement Subresource Integrity
