By- October 06, 2015
If you’ve been keeping up with recent browser developments you may have noticed that in the past few weeks both Chrome and Firefox have started to support subresource integrity, with companies like Github making an active push for other sites to make use of the functionality. This is a low-risk change that offers tremendous security gains for your users, so we just pushed out an update that makes it easier to start using subresource integrity on your website.
As is the nature of loading arbitrary code, this has always opened up websites to the possibility of being attacked through their CDN: an insecure or malicious CDN holds the potential to insert malicious code onto any website to which it serves assets. Subresource integrity serves to mitigate this attack by ensuring that all loaded resources contain the exact content expected by the website. This is done through the use of a cryptographic digest, computed on all fetched resources, that is then compared against an expected digest. This provides the browser the capability of detecting resources that have been tampered with, allowing it the opportunity to abort the loading of the resources before any malicious code is executed.
Protecting a resource is done by adding the “integrity” attribute to an asset’s HTML tag:
<script src="https://example.com/include.js" integrity="sha256-Rj/9XDU7F6pNSX8yBddiCIIS+XKDTtdq0//No0MH0AE=" crossorigin="anonymous"></script>
It’s an elegant solution to a very serious risk, and it’s a solution we recommend implementing. It won’t secure all of your users, with Microsoft Edge still not supporting the feature, but it can serve as a valuable line of defense in the event of a breach of your CDN. Many of the popular web frameworks provide libraries that make it easy to enable subresource integrity on your assets, and further instructions on making use of the technology are available on the Mozilla Developer Network.
Going forward, all Tinfoil Security scans will flag external resources that are not protected by subresource integrity. Give it a try by signing up for our 30-day free trial.
Introducing the Tinfoil Private Beta
By- March 14, 2012
Welcome to Tinfoil Security!
We simplify security, integrating it into your development lifecycle, and making it a simpler test before you push out new code, rather than a compliance checkbox or an afterthought. Our aim is to make security recurring, affordable, and as simple for your engineers to use as possible. We’re beginning by securing all of your organization’s websites.
Recently, we were proud to announce the launch of the private beta of our first product: the Tinfoil Security web application scanner. Our scanning technology is comparable to other web application scanning tools and, in many cases, better. We’ll crawl your site, a bit like Google does, but instead of looking for text and images, we’re looking for anywhere we might be able to input and inject data. We then go through a multitude of security checks, trying to find each potential beachhead an attacker could use to access your website. We specialize in recurring and efficient checks, looking at all potential access points on your website. We’ll scan your externally facing site as well as all of your internal dashboards and application data post-authentication.
You get a comprehensive security report of your sites’ safety, along with all of your vulnerability information. You’ll know exactly where we found each vulnerability, what the vulnerability is and what it can do, how we attacked your site (so you can go in and replay the attack), and we’ll also guide you in fixing each vulnerability, tailoring our results specifically to your software stack. It’s a fully automated solution, keeping your costs low and your number of security checks high.
Tinfoil Security takes a proactive approach, letting you know where you are vulnerable before you've been hacked and before any data is exported from your site, so you can prevent it in the first place. And we do it all while keeping the amount of data thrown your way as manageable as possible.
We’re incredibly excited about where Tinfoil is headed, and hope you’re just as excited to help us get it there.
If you’re interested in finding out more about Tinfoil, or just more about new ideas and news in vulnerability research, keep watching this blog, which will be updated with our latest features and our thoughts on security and the industry.
There's way more to come, so be sure to sign up for our beta list at https://www.tinfoilsecurity.com and we'll get you in the door.
Until next time!
Ainsley, Borski, & The Tinfoil Team