Verifying JS Integrity

Yesterday, a CDN was hacked and malicious JS was served to a number of domains. Most websites make use of CDNs to serve up JS so as to reduce page load time. How do we protect ourselves from such attacks?

I posed a similar question on Sec.SE some time back. Subresource Integrity is a new security feature that will save you. The code will not execute if there is a hash mismatch. Just don't use this on rolling releases that reuse the same URLs.

1
2
3
    <script src="https://example.com/example-framework.js"
    integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7"
    crossorigin="anonymous"></script>


Tags: Coding, Security

Similar Articles

Verifying JS Integrity - Yesterday, a CDN was hacked and malicious JS was served to a number of domains. Most websites make use of CDNs to serve up JS so as to reduce page load time. How do we protect ourselves from such ...
Web Development in Singapore - In light of the recent fiasco over the NDP website, I thought it would be apt for me to share my thoughts on how I believe web development in Singapore has ended up in this dismal state today. ...
Timestomping Programmatically - Timestomping is a favourite topic of red teamers and forensic analysts. They often speak about the tools and powershell commands that can be used to do timestomping. How do these tools work? In ...
Code runs on code - This semester has been a rather hectic one. There is this massive Java Enterprise project that lasts throughout the entire semester. In the midst of this project, our team encountered a rather ...