We have recently done a static analysis of our application/s, and there are few critical findings for a 3rd party code i.e. jquery and swagger UI.
What are security best practices in this case to mitigate the risk?
Asked
Active
Viewed 126 times
3
-
besides using the latest stable version and reporting any vulnerabilities you find to the authors? – Purefan Feb 07 '17 at 10:38
-
One thing to note: If you're getting critical findings in JQuery, you probably haven't tuned your static analysis tool properly. You can't simply run it and assume that everything it spits back out will be valid issues. – Xander Feb 07 '17 at 12:42
1 Answers
2
You can use subresource integrity. This prevents an attacker from altering scripts. It adds a hash to the script tag, and if that hash does not match with the script it does not get executed.
Sjoerd
- 28,707
- 12
- 74
- 102
-
so nothing can be done from the Static Analysis perspective. We have to suppress the alerts from there and rerun the scan to get a clean report. – wonder Feb 07 '17 at 11:22
-
@wonder the original question mentions jquery and swagger, in which case you do have access to the source code and have a possibility to change it (and also contribute it upstream to avoid maintaining a fork in future). – Peteris Feb 07 '17 at 11:51
-