1. Home
  2. Web App Vulnerabilities
  3. How to remediate – Script Src Integrity Check
Searching...

How to remediate – Script Src Integrity Check

Contents

1. Introduction

The Script Src Integrity Check vulnerability concerns external script resources that do not use integrity checking. This means javascript files loaded from third-party sources haven’t been verified, potentially allowing attackers to inject malicious code into your website. It primarily affects web applications and content management systems (CMS) using external scripts. A successful exploit could lead to payment entry data exfiltration, impacting confidentiality, integrity, and availability of sensitive information.

2. Technical Explanation

This vulnerability occurs when a web application includes javascript from an external source without verifying its content. An attacker can compromise the third-party server or network used to deliver the script, replacing legitimate code with malicious javascript. This allows them to execute arbitrary code in the context of your website visitors. Exploitation requires control over the third-party script delivery mechanism.

  • Root cause: Missing Subresource Integrity (SRI) attribute on <script> tags.
  • Exploit mechanism: An attacker compromises a third-party javascript server and injects malicious code into the served file. When a user’s browser loads the script, it executes the compromised code.
  • Scope: Web applications using external javascript resources. Affected platforms include any web server or CMS capable of serving HTML with <script> tags.

3. Detection and Assessment

You can confirm this vulnerability by checking your website’s source code for missing SRI attributes on script tags. A thorough method involves scanning all pages for external scripts.

  • Quick checks: Inspect the HTML source of a webpage using your browser’s developer tools and look for <script> tags without an `integrity` attribute.
  • Scanning: Nessus plugin ID 10843 can identify missing SRI attributes (example only).
  • Logs and evidence: Web server logs may show requests for external scripts, but won’t directly indicate the absence of SRI. Review application code repositories for script tags.
grep -r '