This free service allows software developers to scan websites for Subresource Integrity (SRI) hashes.
JavaScript and CSS stylesheet assets can be protected with cryptographic hashes to prevent tampering with these assets on their way to the website visitors.
SRI hashes can protect visitors from browser exploits, denial of service attacks, cookie stealing and other harmful actions.
Website developers tend to trust Content Delivery Networks (CDN) to host some of their website assets such as JavaScript and CSS. Third-party CDN services such as Google, jsdelivr or cdnjs, offer to host assets close to the website visitors.
The benefit of using CDNs to visitor experience is great. Providers host the assets from datacenters around the globe with good network connections. As a result, webpages load quicker into the visitors' browsers. Also, the uptime of a typical CDN is close to 100%.
However, there is a lot of trust involved here. JavaScript and CSS stylesheets can be abused to exploit browsers DDoS websites, and steal cookies from the visitors. Software developers assume these third-parties will never replace the hosted assets with something malicious. Unfortunately, this is not always the case.
The Great Firewall of China has injected extra code into JavaScript assets on Baidu's CDNs. The additional snippet was instructing the browser of unsuspecting website visitors to DDoS GitHub servers.
Another example is from 2014, where jQuery's CDN was compromised according to RiskIQ. Although jQuery did not confirm the unauthorized modification of the hosted library, the case highlights the problem with blind trust in these third-parties.
The solution to confirm the integrity of third-party assets with cryptographic hash named Subresource Integrity (SRI) hash. This hash format has been standardized by W3C and function similarly to the well-known MD5 or SHA hashes.
To protect third-party hosted assets is relatively straightforward. First, we need to generate the SRI hash of the asset. Then we append calculated SRI values to the asset tags like the following:
<script src=https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js
integrity="sha256-ImQvICV38LovIsvla2zykaCTdEh1Z801Y+DSop91wMU=
sha384-8gBf6Y4YYq7Jx97PIqmTwLPin4hxIzQw5aDmUg/DDhul9fFpbbLcLh3nTIIDJKhx
sha512-AFwxAkWdvxRd9qhYYp1qbeRZj6/iTNmJ2GFwcxsMOzwwTaRwz2a/2TX225Ebcj3whXte1WGQb38cXE5j7ZQw3g=="
crossorigin=anonymous></script>
When the website visitor's browser downloads the remote asset from the CDN, the browser will verify the hash listed in the tags.
If someone has tampered with the asset either at the CDN provider or along the way on the network, the browser will not execute the JavaScript or CSS stylesheet.
SRI is a great addition to website security. Malicious JavaScript and CSS code can be dangerous to website visitors. SRI hashes adds an additional layer of protection to the integrity of these assets, especially when they are hosted at CDNs.
The reason sritest.io was born is to foster the implementation of SRI. I encourage every website developer to consider adding SRI hashes to each supported asset.
I am a security consultant based in the United Kingdom.
I have experience with architectural design, policy- and risk management, and incident management. I have also been dealing with application security, vulnerability management, and event log management for a long time. I love to develop software in my free time.
Check out my blog for more interesting projects.