SUPPORT

Contact Support

OPEN A TICKET

External Scripts Node

External scripts help developers create a separate file to write code and then create a link to the external file from another document. For example, developers can create an external JavaScript file and write a link to this file within HTML so that they don’t have to code each HTML file in which the JavaScript code appears.

However, any external script should be considered a potential security risk to your web application. Someone may have tampered with it to execute malicious JavaScript on the target web application. For example, a hacktivist group, the 'Syrian Electronic Army', targeted the Content Delivery Network that affected hundreds of websites, including well-known ones. They forced these web pages to display a message for the group.

The malicious code that external scripts can implement may also pave the way for Cross-site Scripting vulnerabilities. These would allow hackers to steal sensitive data, such as login credentials or credit card information.

During the scanning process, Netsparker identifies all the external scripts in the target web application and lists them. Netsparker also suggests using the Subresource Integrity (SRI) mechanism for all external scripts and reports ‘SRI Not Implemented’ for external scripts if they are absent the hashed value of the source in integrity attribute. (This is a Best Practice report. It is displayed under Issues and Sitemap in both Netsparker editions.)

The External Scripts Node helps users determine whether the target web application has already been hacked. For example, it contains information on whether malware is being distributed via an injected script. All (un)trusted third party scripts used in your web application are also listed in the External Scripts node.

Once the scan is completed, all external scripts are listed under the External Scripts node in the Knowledge Base. You can access the same information in the Knowledge Base Report and Knowledge Base Tab.

Netsparker forms Knowledge Base nodes on its findings. If the External CSS Files node is not listed, it means that Netsparker did not find any.

For further information, see Knowledge Base Nodes

How to View the External Scripts Node in Netsparker Enterprise
  1. Log in to Netsparker Enterprise.
  2. From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
  3. Next to the relevant website, click Report.
  4. From the Technical Report section, click the Knowledge Base tab.
  5. Click the External Scripts node. The information is displayed in an External Scripts tab.

How to View the External Scripts Node in Netsparker Standard
  1. Open Netsparker Standard.
  2. Start a Scan or Import a previously saved scan.
  3. The Knowledge Base is displayed on the right of the Scan Summary Dashboard. (If it is hidden, display it again using the Knowledge Base icon on the View tab on the ribbon. Alternatively, click the Reset Layout icon on the View tab, then close the Activity/Progress/Logs panes to give maximum viewing space.)

  1. Ensure that the Knowledge Base Viewer is also displayed. (If it is hidden, you can display it again using the Knowledge Base Viewer button on the View tab. You may also want to close the Activity/Progress/Logs panes.)
  2. Click the External Scripts node in the Knowledge Base. All detected External Scripts are displayed in the Knowledge Base Viewer.

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO