Subresource Integrity is a security measure used to ensure the integrity of external resources (such as JavaScript files, CSS styles, fonts, etc.) used on a web page. SRI allows browsers to verify the expected integrity hash of resources fetched from the server. This helps confirm that the resource obtained from the server is original and has not been tampered with.
Additional security layer with SRI
SRI creates an additional layer of security, especially when a website pulls resources from third-party content providers (such as CDNs). A resource modified by cyber attackers could lead to various negative consequences, such as the execution of malicious software or code, compromising user data or remote code execution on the system. Therefore, using SRI is necessary to determine whether the resource has been modified.
For the use of SRI, a cryptographic hash (such as SHA-256) that ensures the accuracy of the resource is calculated, and this hash is added to the relevant tag on the web page. The browser checks the integrity of the resource using this hash, and if it does not match the expected hash, it prevents the resource from loading.
In most web application penetration tests, it is often observed that SRI integration is not implemented in the target system. This has been the case in the majority of penetration tests I have conducted so far. However, during recent scans of a client’s web application, we noticed the absence of SRI and immediately added it to our findings. In fact, the client’s web application did not use any external resources; all necessary libraries and style files were hosted on the server.
I discovered that Google Tag Manager was embedded as an external resource on the target application. Since the lack of SRI is directly marked as “FAIL” in PCI DSS scans, this initially appeared to be a significant issue. Google Tag Manager is a free tool that allows managing and distributing digital marketing tags (such as Google Analytics, Facebook Pixel, AdWords Remarketing, Hotjar, etc.) on websites and mobile applications.
What is Google Tag Manager?
GTM provides web developers and digital marketing experts with the ability to manage, track, and update tags without the need for code editing. Therefore, as you may have noticed, we are talking about a file that varies continuously. The main issue here is that when you include the Google Tag Manager script, you are not parsing a fixed piece of text. The primary purpose of Tag Manager is to allow you, as the end user, to adjust which metrics are measured easily and to allow Google to update the script without requiring everyone to update their websites to pull in the new version.
Therefore, the returned value can change at specific times when a script tag is called. The end user may choose to add or remove metrics to measure, or Google may make changes or updates to the script. Hence, including an SRI tag is nearly impossible because the hash is likely to become outdated within a few days, and the resource will stop loading. Therefore, since the SRI value will constantly change, it gives the impression that the script on the main source has been hacked. The change in the SRI value also means that the web application will not call the relevant script, meaning the user cannot access metric values.
If this issue arises during a PCI DSS scan, you can explain to the scanning company that this is not a security or PCI DSS compliance issue, as it does not affect card payments and is an acceptable risk. Taking additional security measures on the Google Tag Manager side may also be helpful. For this, only provide access to the Google Tag Manager control panel to relevant individuals and limit their permissions according to their needs. Don’t forget to enable two-factor authentication for access to the panel.