Antonio Fontes - OWASP
antonio.fontes at owasp.org
Tue Apr 19 08:31:47 UTC 2016
On 4/19/2016 12:57 AM, Weiler, Jim wrote:
> If you assume a hacker breaches the 3rd party dev environment then the CSP checksum / subresource integrity control is gone because the hacker could change the code and recompute the checksum, correct?
I'm not sure. From my understanding, script integrity checksums are to
be computed and verified under control of the invoking party:
- Org A computes checksums of org B's scripts (or verifies those
provided by the 3rd party)
- Org A puts checksums in org A's code
- If org B's scripts are compromised, org A's code will detect a breach
However, if org A allows the 3rd party to provide its own checksums at
runtime, then indeed, that would constitute a vulnerability in regards
of the threat you described.
> 4 other advantages of a server direct data layer that I will add are:
> 1. performance - a page can easily have 50 or 100 tags each from a different vendor. Loading js from that many different sites, when the client is often far removed from the single or few vendor servers, can make a page unacceptably slow to load. Server direct eliminates this - all requests go to one tag manager url which will allow even a few dispersed servers to provide fast response because the requests are small, simple data value delivery, not requests for code.
> 2. centralization of data validation - DOMPurify or other validation logic can be applied to the data layer variables which are in a single page location and are much easier to document and keep track of, and can be implemented by security aware developers.
> 4. The key audience is the marketing team, not the web, middleware or application development teams. The marketing team makes the agreements with 3rd party vendors. The ability to have
> 2. can be easily verified by security
> allows the host company to act with the speed and flexibility they want with minimal involvement from security.
> Please let me know any comments.
> Thanks Jim
More information about the OWASP-Leaders