External Scripts Node
External scripts help developers create a separate file to write code and then create a link to the external file from another document. For example, developers can create an external JavaScript file and write a link to this file within HTML so that they don’t have to code each HTML file in which the JavaScript code appears.
However, any external script should be considered a potential security risk to your web application. Someone may have tampered with it to execute malicious JavaScript on the target web application. For example, a hacktivist group, the ‘Syrian Electronic Army’, targeted the Content Delivery Network that affected hundreds of websites, including well-known ones. They forced these web pages to display a message for the group.
The malicious code that external scripts can implement may also pave the way for Cross-site Scripting vulnerabilities. These would allow hackers to steal sensitive data, such as login credentials or credit card information.
During the scanning process, Invicti identifies all the external scripts in the target web application and lists them. Invicti also suggests using the Subresource Integrity (SRI) mechanism for all external scripts and reports ‘SRI Not Implemented’ for external scripts if they are absent the hashed value of the source in integrity attribute. (This is a Best Practice report. It is displayed under Issues and Sitemap in both Invicti editions.)
The External Scripts Node helps users determine whether the target web application has already been hacked. For example, it contains information on whether malware is being distributed via an injected script. All (un)trusted third-party scripts used in your web application are also listed in the External Scripts node.
Once the scan is completed, all external scripts are listed under the External Scripts node in the Knowledge Base. You can access the same information in the Knowledge Base Report and Knowledge Base Tab.
Invicti forms Knowledge Base nodes on its findings. If the External CSS Files node is not listed, it means that Invicti did not find any.
For further information, see Knowledge Base Nodes
How to View the External Scripts Node in Invicti Enterprise
- Log in to Invicti Enterprise.
- From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
- Next to the relevant website, click Report.
- From the Technical Report section, click the Knowledge Base tab.
- Click the External Scripts node. The information is displayed in an External Scripts tab.
How to View the External Scripts Node in Invicti Standard
- Open Invicti Standard.
- Start a Scan or Import a previously saved scan.
- The Knowledge Base is displayed on the right of the Scan Summary Dashboard. (If it is hidden, display it again using the Knowledge Base icon on the View tab on the ribbon. Alternatively, click the Reset Layout icon on the View tab, then close the Activity/Progress/Logs panes to give maximum viewing space.)
- Ensure that the Knowledge Base Viewer is also displayed. (If it is hidden, you can display it again using the Knowledge Base Viewer button on the View tab. You may also want to close the Activity/Progress/Logs panes.)
- Click the External Scripts node in the Knowledge Base. All detected External Scripts are displayed in the Knowledge Base Viewer.