Parker Software Ltd Homepage
Forum Home Forum Home > WhosOn Live Chat > Hosted Service
  New Posts New Posts RSS Feed - WhosON  with SRI
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

WhosON with SRI

 Post Reply Post Reply
Author
Message
Brian.Dukes View Drop Down
New User
New User


Joined: 03 May 2019
Location: Portsmouth
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Brian.Dukes Quote  Post ReplyReply Direct Link To This Post Topic: WhosON with SRI
    Posted: 03 May 2019 at 8:39am
At a recent Penetration Test scan, it was reported that  'external script not using integrity'

Description:
The remote host may be vulnerable to payment entry data exfiltration due to javascript included from potentially
untrusted and unverified third parties script src.
If the host is controlled by a 3rd party, ensure that the 3rd party is PCI DSS compliant.

https://{whosonserver}/include.js?domain=https://yourhost.com

Looking at using SRI (Subresource Integrity)  https://www.srihash.org/    however, trying to generate a hash,  I get the following issue:  "Error: this resource is not eligible for integrity checks. See https://enable-cors.org/server.html"

How is it therefore possible to resolve this penetration test issue? are we able to apply SRI at all?
Back to Top
Liam View Drop Down
Admin Group
Admin Group
Avatar

Joined: 29 Jun 2011
Location: Stoke-on-Trent
Points: 262
Post Options Post Options   Thanks (0) Thanks(0)   Quote Liam Quote  Post ReplyReply Direct Link To This Post Posted: 03 May 2019 at 9:14am
Hi Brian

I think the reason why SRI hash isn't working is because the include file is dynamically generated on request.
What you could do is browse to https://{whosonserver}/include.js?domain=https://yourhost.com
Then save the content to a JS file of your own and host that on your own web server or CDN (and reference that in the WhosOn tracking code instead), then you should be able to validate the integrity of your hard copy.
This will work although you will need to be sure to update the hard copy version of the file every time you update the WhosOn server application.
In addition, be sure to do this for each of the sites that you have configured within WhosOn, as each one will generate its own version of the include.js

I hope that this helps.
Back to Top
Brian.Dukes View Drop Down
New User
New User


Joined: 03 May 2019
Location: Portsmouth
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Brian.Dukes Quote  Post ReplyReply Direct Link To This Post Posted: 07 May 2019 at 8:06am
Thank you Liam
Back to Top
Brian.Dukes View Drop Down
New User
New User


Joined: 03 May 2019
Location: Portsmouth
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Brian.Dukes Quote  Post ReplyReply Direct Link To This Post Posted: 07 May 2019 at 8:20am
Actually @Liam - I wasn't involved in the original implimentation of WhosOn, so possibly some newbie question here --  you say  'and reference that in the WhosOn tracking code instead'  - this is the only bit of code I can see on our site:

        <div id="chat-link-container">
            <!-- Embedded WhosOn: Insert the script below at the point on your page where you want the Click To Chat link to appear -->
            <script type='text/javascript' src='https://{whosonserver}/include.js?domain=yourhost.com'></script>
            <script type='text/javascript'>
                if (typeof sWOTrackPage == 'function') sWOTrackPage();
            </script>
            <!-- End of embedded WhosOn -->
        </div>

Where is the tracking code that you refer to?
Back to Top
benjamin wilshaw View Drop Down
Admin Group
Admin Group
Avatar
Technical Support

Joined: 29 Jun 2017
Location: Stoke-on-Trent
Points: 38
Post Options Post Options   Thanks (1) Thanks(1)   Quote benjamin wilshaw Quote  Post ReplyReply Direct Link To This Post Posted: 08 May 2019 at 3:20am
Hi Brian,

Yes this would be the tracking code my colleague Liam referred to. So if you open the url:

https://{whosonserver}/include.js?domain=yourhost.com

in a web browser this will generate the dynamically generated Include.js he mentioned so that you could host it on another web server or CDN by simply changing the url in the tracking to point to the new include.js location.

Kind Regards,
Ben
Technical Support
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.05
Copyright ©2001-2016 Web Wiz Ltd.

This page was generated in 0.055 seconds.