![]() |
WhosON with SRI |
Post Reply ![]() |
Author | |
Brian.Dukes ![]() New User ![]() Joined: 03 May 2019 Location: Portsmouth Points: 6 |
![]() ![]() ![]() ![]() ![]() Posted: 03 May 2019 at 8:39am |
At a recent Penetration Test scan, it was reported that 'external script not using integrity'
Description: The remote host may be vulnerable to payment entry data exfiltration due to javascript included from potentially untrusted and unverified third parties script src. If the host is controlled by a 3rd party, ensure that the 3rd party is PCI DSS compliant. https://{whosonserver}/include.js?domain=https://yourhost.com Looking at using SRI (Subresource Integrity) https://www.srihash.org/ however, trying to generate a hash, I get the following issue: "Error: this resource is not eligible for integrity checks. See https://enable-cors.org/server.html" How is it therefore possible to resolve this penetration test issue? are we able to apply SRI at all?
|
|
![]() |
|
Liam ![]() Admin Group ![]() ![]() Joined: 29 Jun 2011 Location: Stoke-on-Trent Points: 266 |
![]() ![]() ![]() ![]() ![]() |
Hi Brian
I think the reason why SRI hash isn't working is because the include file is dynamically generated on request. What you could do is browse to https://{whosonserver}/include.js?domain=https://yourhost.com Then save the content to a JS file of your own and host that on your own web server or CDN (and reference that in the WhosOn tracking code instead), then you should be able to validate the integrity of your hard copy. This will work although you will need to be sure to update the hard copy version of the file every time you update the WhosOn server application. In addition, be sure to do this for each of the sites that you have configured within WhosOn, as each one will generate its own version of the include.js I hope that this helps.
|
|
![]() |
|
Brian.Dukes ![]() New User ![]() Joined: 03 May 2019 Location: Portsmouth Points: 6 |
![]() ![]() ![]() ![]() ![]() |
Thank you Liam
|
|
![]() |
|
Brian.Dukes ![]() New User ![]() Joined: 03 May 2019 Location: Portsmouth Points: 6 |
![]() ![]() ![]() ![]() ![]() |
Actually @Liam - I wasn't involved in the original implimentation of WhosOn, so possibly some newbie question here -- you say 'and reference that in the WhosOn tracking code instead' - this is the only bit of code I can see on our site:
<div id="chat-link-container"> <!-- Embedded WhosOn: Insert the script below at the point on your page where you want the Click To Chat link to appear --> <script type='text/javascript' src='https://{whosonserver}/include.js?domain=yourhost.com'></script> <script type='text/javascript'> if (typeof sWOTrackPage == 'function') sWOTrackPage(); </script> <!-- End of embedded WhosOn --> </div> Where is the tracking code that you refer to?
|
|
![]() |
|
benjamin wilshaw ![]() Admin Group ![]() ![]() Technical Support Joined: 29 Jun 2017 Location: Stoke-on-Trent Points: 38 |
![]() ![]() ![]() ![]() ![]() |
Hi Brian,
Yes this would be the tracking code my colleague Liam referred to. So if you open the url: https://{whosonserver}/include.js?domain=yourhost.com in a web browser this will generate the dynamically generated Include.js he mentioned so that you could host it on another web server or CDN by simply changing the url in the tracking to point to the new include.js location. Kind Regards, Ben
|
|
Technical Support
|
|
![]() |
Post Reply ![]() |
|
Tweet
|
Forum Jump | Forum Permissions ![]() You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |