Burp Suite User Forum

Login to post

Cross-domain script include issues ignore subresource integrity attributes

Veres-Szentkiralyi | Last updated: Jun 17, 2016 03:05PM UTC

Cross-domain script include issues are useful, however they ignore whether the site uses subresource integrity (SRI) attributes. If so, the part that says "trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions" is not accurate since if the content changes, the cryptographic hash would change, thus modern browsers won't include it. More info: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

PortSwigger Agent | Last updated: Jun 17, 2016 03:26PM UTC

Thanks for this feedback. We've added to our backlog the task of reflecting SRI attributes in the logic of this scan check.

You need to Log in to post a reply. Or register here, for free.