Why compromise just one website when you can compromise a whole bunch of them all at once?
Preparing Your Defenses
What can you do to protect your web applications from these types of attacks? Let's talk about two defense tactics: subresource integrity and threat intelligence.
Subresource Integrity (SRI)
SRI is supported by Chrome, Safari, Firefox, and Microsoft Edge today. You can also require that all script resources have an integrity attribute to be loaded using Content Security Policy (CSP). The following is an example of a CSP statement that requires a valid integrity attribute for all script tags.
Content-Security-Policy: require-sri-for script;
The Burp Suite Extension and its Capabilities
You will need to obtain a chromedriver executable, which provides an interface between the Java Selenium library and a headless Google Chrome browser. You can obtain the correct files for your operating system at http://chromedriver.chromium.org/. Note the location of the chromedriver executable file for configuration.
The extension provides a configuration tab in the Burp Suite GUI which testers can use to set the path to their chromedriver binary and adjust the wait time before Selenium considers a page to be completely loaded. The default delay is 10 seconds, but testers may vary this based on the speed of their connection, complexity of the page, etc.
Passive Scan Checks
- If it does, is the SRI integrity attribute correct for the referenced resource?
- Are there any cross-domain scripting resources that are loaded in to the DOM and not present in the initial page?
Potential issues will be logged within the Burp Suite interface for any of these items.
Where to Get the Burp Suite Extension
The extension is available now on the BApp Store.
We hope this contribution to the community helps folks stay safe out there.
Want more cyber security insights?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.