Today’s websites integrate code and content from dozens of third-party service providers - user analytics, marketing tags, CDNs, third-party JavaScript libraries, and so on. A significant portion of this content comprises executable scripts with direct security impact on the website. Subresource Integrity (SRI) is a security standard that lets developers ensure that only trusted code runs in the user’s browser.
SRI is the only way to prevent client-side attacks, like Magecart, that take place through code injection.
SRI essentially lets web developers include a hash of the code that will be included when the script resource is fetched. If the specified hash does not match the calculated hash when the code is fetched, the script is not allowed to execute. SRI and the integrity attribute make sure that the resource you linked into a page never changes. And if it does change, then the browser will reject it. SRI is the only way to prevent client-side attacks, like Magecart, that take place through code injection.
A sample application of SRI is illustrated below:
<script src="https://mywebsite.com/script-framework.js" integrity="sha384 rfDwQgCBLzy8djasXR7ctlA4dE1HaH7L/ast5es1KLAjJTl2pTxRja2zc2TaT7qX"
crossorigin="anonymous">
</script>
Here are two examples on real world uses of Subresource Integrity (SRI)
Example 1 - Blocking unverified scripts from third party sources
<script src="https://myanalytics.com/script-example.js" integrity="sha384-fjBcQcXzJxy8fdgcCY5uykM6+R9GqQ8K/uxy9rx7JVA2HLl1kCzTjo1cx2GwY8xH" crossorigin="anonymous"></script>
This instructs the browser that before loading the script from "https://myanalytics.com/script-example.js", the browser should check if the script matches the expected hash specified and block the execution if this doesn’t match.
Example 2 - Blocking unverified code from CDNs
<link rel="stylesheet" href="https://thirdparty.example.net/style.css"
integrity="sha384-+/B7jarsHayaftladNMhLPcqaGa3F/KRdSAQaACyJPaTGIbNPQRTae452CUgA2aC" crossorigin="anonymous">
This instructs the browser to deliver code from the CDN that matches the expected hash value so that any malicious code inserted by compromising the CDN is not inserted into the website.
Automating SRI is possible with Tala's Web Application Runtime Protection (WARP)
There are two common challenges in implementing SRI hashes:
Step 1: Discover all first party and third party scripts running on your website through Tala’s patented App Analysis Engine.
Step 2: Discover security-relevant behaviors of every script running on your website - whether they are CORS enabled, dynamically loaded or have access to sensitive information on your website. This information identifies which scripts are hashable.
Step 3: Tala’s SRI automation enforces hashes for identified scripts within minutes. The user can enable/disable hashes for individual scripts, if desired.
Step 4: Tala’s continuous monitoring alerts you for all SRI violations detected on your web application, in real-time.
Control Risk. Manage Trust.
Tala provides real time visibility into the scripts running on the web application and continuously monitors the scripts for changes. Implementing SRI manually can be administratively complex and time consuming for security teams. In addition, since websites operate dynamically and are upgraded regularly, this requires continuous adjustment to SRI hashes. Errors in implementing SRI could end up breaking the website.
Tala completely automates the process of hash generation, implementation, alerting and incident management. Website attacks are prevented in real time, website performance is preserved and the need for costly and continuous administration, remediation or incident response is minimized.
Request a free website analysis to find out.
COPYRIGHT ©2021 TALA SECURITY, INC. ALL RIGHTS RESERVED | Privacy Policy
