Subresource Integrity (SRI) allows websites to specify a cryptographic hash for external scripts and stylesheets to verify their integrity before loading. A study found 88% of top websites include external JavaScript libraries. SRI helps prevent attacks from compromised CDNs by only loading resources that match the expected hash value. SRI also uses the crossorigin attribute to implement Cross-Origin Resource Sharing (CORS) and prevent data leakage when checking external resources. CORS headers must be present for SRI integrity checks to prevent loading alternative scripts. SRI provides more control over included external content and is supported by libraries like Ember.js.

1. Subresource Integrity
Philippe De Ryck
@PhilippeDeRyck

2. Who Uses Code Like This?
2
<script src="https://code.jquery.com/jquery-2.1.3.min.js"></script>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/
3.3.5/css/bootstrap.min.css" rel="stylesheet" >
https://blog.jquery.com/2014/01/14/jquerys-content-delivery-network-you-got-served/

3. Maybe It Also Puts You to Shame?
3
http://arstechnica.com/security/2015/06/us-army-website-defaced-by-syrian-electronic-army/

4. And If You Thought That Was Bad …
4

5. And If You Thought That Was Bad …
5
http://www.cbc.ca/news/trending/anonymous-rickrolls-isis-on-twitter-after-losing-cyber-war-1.3331934

6. And the Problem Is Much Worse …
6
https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/

7. But Not So Easy To Comprehend
7
https://xkcd.com/932/

8. Remote Content Inclusion Is Dangerous
8
§ You give third party content full control over your context
§ Governed by the Same-Origin Policy of the browser
§ No separation between your code and external code
§ Access to same privileges, data, code …
§ External scripts can
§ Read and manipulate your DOM
§ Access JS APIs with the privileges granted to your origin
§ Send requests to your origin without limitations
§ Send requests to other origins on behalf of your origin

9. Large-scale Study of Remote JS Inclusions
9
“88.45% of the Alexa top 10,000 web
sites included at least one remote
JavaScript library”
https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf

10. Large-scale Study of Remote JS Inclusions
10
https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf

11. Subresource Integrity
11
§ There is nothing you can do against these attacks
§ Either you trust a CDN, or you host it yourself
§ Welcome Subresource Integrity (SRI)
§ W3C Candidate Recommendation since November 12, 2015
<script src="https://code.jquery.com/jquery-2.1.3.min.js"
integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”
crossorigin=“anonymous”></script>

12. Subresource Integrity
12
§ Allows you to specify a hash of an external resource
§ Using the integrity attribute on script or link tags
§ Browsers verify this hash before loading the file
§ Refuse to load the file if the hash does not match
§ SRI supports the specification of multiple hashes
§ The strongest one available will be used by the browser
<script src=”myapplication.js”
integrity=“sha256-… sha512-… ”>
</script>
<link href=“myapp.css” type=“text/css”
integrity=“sha384-… sha512-…” />

13. Unfortunately, SRI Enables Data Leakage
13
§ You can check the presence of specific external resources
§ Requests from the user’s browser, with credentials
<script src=https://some-shop.com/accountbalance integrity=“…”></script>
{“balance”: 1234.00} dPdFnnWdXY6eHXiK+3O/OSi3OeLFHlLch1qZ3iqD3MGNXck+Oz4LETv8lnsoNyFI
{“balance”: 1235.00} RasWnvVTFAiT+6NeqIJFRDDDSklMaljV0FxUQysJqUB65TGm/lFqKJkrGif2wzYj
{“balance”: 1236.00} uSCKm1yloPZ7VexjyLQ+sUvakZKycl3CsblGH/9XpGV09ymyf1nKAzU5tXTFH5oi
{“balance”: 1237.00} 4SI2gcfIFhX2NRE5KPbeXR87PaiCSAan6PL2mxKWndBp8wvE2Dfcn7HenpNXD0oJ

14. SRI Prevents Data Leakage with CORS
14
§ Not needed for resources from your own origin
§ The browser allows access to these anyway
§ The crossorigin attribute controls CORS behavior
§ Anonymous does not attach cookies to the request
§ Use-credentials means that that cookies will be present
<script src="https://code.jquery.com/jquery-2.1.3.min.js"
integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”
crossorigin=“anonymous”></script>

15. Simple CORS Example
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.com
Access-Control-Allow-Origin:
http://www.example.com

16. CORS Protects Legacy Servers by Design
16
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.com
No CORS headers present

17. Handling Credentials
17
§ Requests can be anonymous or authenticated
§ By default, credentials (i.e. cookies) are not sent
§ Can be enabled by setting the withCredentials flag
§ When credentials are used, the server must acknowledge this
§ By sending the Access-Control-Allow-Credentials response header
§ Aim is to prevent illegitimate use of the user’s credentials
§ Not intended to protect the server from malicious requests

18. Simple CORS Example with Credentials
18
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.com
Cookie: PHPSESSID=1a2b3c4d5e6f
Access-Control-Allow-Origin:
http://www.example.com
Access-Control-Allow-Credentials: true
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://www.websec.be/profile', false);
xhr.withCredentials = true;
xhr.send();

19. Subresource Integrity with CORS
Load page
Include script with integrity check
www.example.com
www.websec.be
Origin: http://www.example.com
Access-Control-Allow-Origin:
http://www.example.com

20. SRI Prevents Data Leakage with CORS
20
§ CORS protects legacy servers
§ CORS response headers need to be present
§ If they are missing, the resource will not be loaded
§ The only reason is the integrity check
§ Simply including the script without integrity check would still work
<script src="https://code.jquery.com/jquery-2.1.3.min.js"
integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”
crossorigin=“anonymous”></script>

21. SRI Error Recovery
21
§ Failure to load a resource triggers an error event
§ Clean way to load an alternative resource yourself
§ Last-resort recovery from an integrity error
§ Host a backup version of the script on your own server
§ Load when the main version was not loaded
<script>
window.jQuery
|| document.write('<script src="/jquery.min.js"></script>');
</script>

22. Subresource Integrity in Practice
22
http://caniuse.com/#search=subres

23. Subresource Integrity in Practice
23
openssl dgst -sha384 -binary bootstrap.min.css| openssl enc -base64 -A
https://www.srihash.org/

24. Subresource Integrity in Practice
24
https://www.bootstrapcdn.com/

25. EmberJS and Subresource Integrity
25
§ Ember-cli-sri enables SRI for your application files
§ Hashes are automatically added during production build process
§ Included by default for a few months already
§ Assumes your application serves files from the same origin
§ Can be configured to use a different origin or domain

26. Conclusion
26
§ SRI gives you more control over what you include
§ Of course this only makes sense over an HTTPS channel
§ But you should be running everything over HTTPS anyway
§ If you host public libraries, enable CORS for them
§ This allows other people to use SRI for these files
§ If you build apps with external resources
§ Include an integrity attribute if CORS is supported
§ Bug the admins if CORS is not supported J

27. About Me – Philippe De Ryck
§ Postdoctoral Researcher @ DistriNet (KU Leuven)
§ Focus on (client-side) Web security
§ Responsible for the Web Security training program
§ Dissemination of knowledge and research results
§ Target audiences include industry and researchers
§ Main author of the Primer on Client-Side Web Security
§ 7 attacker models, broken down in 10 capabilities
§ 13 attacks and their countermeasures
§ Overview of security best practices

28. Subresource Integrity
Philippe De Ryck
philippe.deryck@cs.kuleuven.be
/in/philippederyck
https://distrinet.cs.kuleuven.be/events/websecurity/
@PhilippeDeRyck