cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Capture and compare JavaScript with Synthetic checks. Please advise.

runatyr
Organizer

Hello:
I am being asked to see if Dynatrace synthetic checks could be leveraged for security checks on certain pages
that contain JavaScript for code integrity.

In particular:
We would want Dynatrace to hit/visit some of our specific web pages that contain JavaScript.
Dynatrace would then "capture" a copy of the existing JavaScript code contained on a web page, and
calculate a hash of the code for comparison purposes to a known approved hash.
Then, if those 2 hashes did not match, have Dynatrace throw an alert/detection.

We have done some very basic synthetic checks previously.
(Log into a page, click a specific CSS or DOM object etc... but nothing of this complexity.)

However, I am uncertain how to approach this request.

1) How could the synthetic check be leveraged to "capture" the JavaScript from a page?
2) How could Dynatrace be told in a synthetic to run a program that calculates a hash?
3) How would synthetic check then compare it?


Any advice or experience in doing something similar to this is immensely appreciated!

Kindly,
Chris

3 REPLIES 3

Slawa
Advisor

Abstract:
I believe you can do this in synthetic steps - JS allow you to cut/copy HTML.
Then if your hash method is supported by Valina JS you can do it and store any text value it into the Dyantrace vault.
In the Next run you can evaluate the hash value against other values captured from a web page and raise a custom error.

AntonioSousa
DynaMight Guru
DynaMight Guru

@runatyr,

This is an extreme request, but interesting. Some comments:

  1. Prior to this, I expect that CSP has been correctly implemented. If so, many risks get mitigated. If not, this should be the site's first priority...
  2. SRI (Subresource Integrity) is well supported for some time now. I have one client that uses it, and we had to implement Dynatrace RUM in that specific way.  Please check if it is being used. I have not come across it in any case, but since it's validated by the browser, I expect Dynatrace to alert when browser alerts. In any case, I have asked it in a separate thread: https://community.dynatrace.com/t5/Synthetic-Monitoring/Does-Dynatrace-Synthetic-browser-monitor-ale...
  3. Implement a WAF that validates content being served.

As such, your best bet is probably implementing at least the first two above and validating against the SRI hashes. And wait to see if that is automatically supported, as in the other thread.
Also, I'm not quite sure what "Valina JS" was, so I looked it up, but was not able to confirm it is SRI related. Or were you referring to "Vanilla JS"?

Antonio Sousa

Valina JS - that means you can not import any libraries out of the standard JS package OOB

Featured Posts