The Limitations of AI in Fixing Hardcoded Domains and External Requests in HTML
Introduction
AI has made significant strides in application security, but certain tasks expose its limitations. One such challenge is fixing hardcoded domains in HTML, which presents specific vulnerabilities that AI models, like large language models (LLMs), struggle to remediate effectively.
The Challenge: Hardcoded Domains and Security Risks
Hardcoded domains in HTML often involve external file references, such as scripts or resources from third-party websites. This becomes a security risk if those external sources are compromised, as any malicious code injected into the referenced files could propagate to all websites loading the resource. For example, a common practice is linking to external libraries like jQuery:
<script src="https://code.jquery.com/jquery-3.7.1.js"></script>
The danger lies in that all linked websites could unknowingly execute harmful code if the external site is breached.
To mitigate this risk, modern browsers support integrity checks, which verify that the external file has not been tampered with. This involves adding an integrity attribute to the script tag, which specifies a SHA256 hash of the file. If the hash doesn't match the actual file, the browser rejects the resource:
<script src="https://code.jquery.com/jquery-3.7.1.js" integrity="sha256-eKhayi8LEQwp4NKxN+CfCh+3qOVUtJn3QNZ0TciWLP4="></script>
In this code, Fortify will report the string trimmed = cmd.Trim(); as vulnerable because cmd can be null, which can cause unexpected crashes in the application — System.NullReferenceException. Unhandled System.NullReferenceException may lead to denial of service of your application if an attacker figures out a way to trigger it continuously.
AI Limitations in Fixing Hardcoded Domains
The challenge with using AI to fix these vulnerabilities stems from the nature of the task. AI models, such as LLMs, cannot download external files or calculate integrity hashes, which is essential for implementing a secure fix. While AI can identify the presence of a hardcoded domain, it lacks the capability to fetch the resource, compute the correct SHA256 hash, and insert the integrity check automatically.
The Future of Hybrid Remediation
While pure AI models struggle with these complex security tasks, hybrid approaches show promise. By integrating AI into platforms with function-calling capabilities, it is possible to automate tasks like fetching external files and calculating their integrity hashes. This hybrid model, which combines human oversight with AI automation, offers a more robust solution for code remediation.
As technology evolves, AI will likely be paired with external function calls or hybrid models to address these limitations. This approach bridges the gap between AI's capabilities and the intricate security challenges that arise in modern application development.
Jonathan Santilli and Kirill Efimov