[Owasp-leaders] 3rd Party JavaScript Management Cheatsheet

Antonio Fontes - OWASP antonio.fontes at owasp.org
Tue Apr 19 08:31:47 UTC 2016


On 4/19/2016 12:57 AM, Weiler, Jim wrote:

> If you assume a hacker breaches the 3rd party dev environment then the CSP checksum / subresource integrity  control is gone because the hacker could change the code and recompute the checksum, correct?

I'm not sure. From my understanding, script integrity checksums are to
be computed and verified under control of the invoking party:
- Org A computes checksums of org B's scripts (or verifies those
provided by the 3rd party)
- Org A puts checksums in org A's code
- If org B's scripts are compromised, org A's code will detect a breach
of integrity.

However, if org A allows the 3rd party to provide its own checksums at
runtime, then indeed, that would constitute a vulnerability in regards
of the threat you described.


> 4 other advantages of a server direct data layer that I will add are:
> 1. performance - a page can easily have 50 or 100 tags each from a different vendor. Loading js from that many different sites, when the client is often far removed from the single or few vendor servers, can make a page unacceptably slow to load. Server direct eliminates this - all requests go to one tag manager url which will allow even a few dispersed servers to provide fast response because the requests are small, simple data value delivery, not requests for code.
> 2. centralization of data validation - DOMPurify or other validation logic can be applied to the data layer variables which are in a single page location and are much easier to document and keep track of, and can be implemented by security aware developers.
> 3. no 3rd party javascript executes on customer browsers, no CORS agreements are needed with vendors and no CSP ability is needed by vendors.
> 4. The key audience is the marketing team, not the web, middleware or application  development teams. The marketing team makes the agreements with 3rd party vendors. The ability to have
> 1. a simple security standard that says 'only use server direct and the host data layer'  when you use regardless of the  tool the host company chose to generate the client javascript;
> and
> 2. can be easily verified by security
> allows the host company to act with the speed and flexibility they want with minimal involvement from security.
> Please let me know any comments.
> Thanks Jim

More information about the OWASP-Leaders mailing list