Sub resource Integrity (SRI) not implemented but all external scripts are loaded securely

By
Febna V M
Published on
19 Apr 2022
1 min read
Vulnerability
metadata

Sub-resource integrity is a security feature that allows a developer to ensure that resources hosted on 3rd party services like CDN (Content Delivery Networks) are delivered to the application without any modification. The sub-resource integrity helps to load content faster as different resources like scripts and stylesheets are hosted in CDN. The SRI achieves this goal by comparing the hash value of resources present in the web server and the resources in third-party services. If the CDN gets hacked by an attacker, the SRI protects the application from attacker’s malicious move to attack the application using cross-site scripting. Example

                <script src="https://example.beaglesecurity.com/example-framework.js"
                        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
                        crossorigin="anonymous"></script>

        

The above code tells the browser to check https://example.beaglesecurity.com/example-framework.js with the hash value. Same hash value proves that the values have not been changed.

Impact

An attacker can gain access to Content Delivery Networks and cause huge damage to the application. If the attacker is one of the persons who had developed one of the CDN used by the application. He can gain access to your system by tweaking the content from CDN.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Make sure to implement Subresource Integrity
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Febna V M
Febna V M
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment