Understanding Supply Chain Attacks
Supply chain attacks involve compromising a third-party service or library to inject malicious code into websites that rely on it. A recent example is the Polyfill.io incident, where thousands of websites were potentially compromised.
How Could This Be Prevented?
One effective way to mitigate such risks is by using the Subresource Integrity (SRI) attribute in your HTML scripts and link tags. SRI allows browsers to verify that the fetched resources (like scripts or stylesheets) are delivered without unexpected manipulation.
Demonstration
#script.js
console.log("Hello World - Secured!");
#index.html
SUBRESOURCE INTEGRITY EXAMPLE
Hello World
#app.js - to serve above files
const express = require('express');
const app = express();
app.use(express.static("./"));
app.listen(80, () => {
console.log('Server is running on http://localhost');
});
Generating the Integrity Hash
openssl dgst -sha384 -binary script.js | openssl base64 -A
Now if we perform all the above steps correctly then the following working output should appear:
Now Let’s try to modify script.js
#script.js - modified
console.log("Hello World - Modified!");
Now try to open http://localhost/index.html, you should see following error:
None of the sha384 hashes in the integrity attribute match the content of the resource.
SO THE MODIFIEFD SCRIPT WON’T RUN AT ALL!!
Resources:
- https://x.com/FranklinThaker/status/1806553934175277275
- List of sites that have been compromised: https://t.co/LDqOSONvNr
- Attack details: https://t.co/DOABrBcYD3
- Cloudflare solution: https://t.co/vEMO0QLxBt
- https://github.com/FranklinThaker/Subresource-integrity-attribute-example