Missing Resource Integrity
ID |
html.missing_resource_integrity |
Severity |
high |
Resource |
Access Control |
Language |
Html |
Tags |
CWE:353, NIST.SP.800-53, OWASP:2021:A8, PCI-DSS:6.5.4, PCI-DSS:6.5.6 |
Description
This rule identifies instances where resources loaded over HTTPS lack the integrity attribute, which could allow for resource manipulation.
Rationale
Even when resources are loaded over HTTPS, attackers can sometimes compromise the server or CDN hosting those resources. By not using the integrity attribute with these resources, applications are vulnerable to supply chain attacks, where a malicious version of a resource is served instead of the intended one.
Consider the following example:
<!DOCTYPE html>
<html>
<head>
<title>Missing Resource Integrity Example</title>
<link rel="stylesheet" href="https://example.com/style.css"><!-- FLAW -->
</head>
<body>
<h1>Hello World!</h1>
</body>
</html>In this code snippet, resources are loaded over HTTPS, but the integrity attribute is missing, making them susceptible to manipulation.
Remediation
To address this issue, use the integrity attribute with a cryptographic hash of the resource. This ensures that the browser verifies the resource’s integrity before executing or rendering it.
Here’s the corrected example with integrity:
<!DOCTYPE html>
<html>
<head>
<title>Resource Integrity Example</title>
<link rel="stylesheet" href="https://example.com/style.css" integrity="sha384-abcdef..." crossorigin="anonymous">
<script src="https://example.com/script.js" integrity="sha384-123456..." crossorigin="anonymous"></script>
</head>
<body>
<h1>Hello World!</h1>
</body>
</html>By providing the integrity attribute with the appropriate hash, the browser can verify that the resources haven’t been altered. Ensure the hashes are accurately generated using a secure algorithm like SHA-384 and validated for correctness.
Configuration
The detector has the following configurable parameters:
-
allowedDomains, that indicates the domains that are allowed, even when the integrity check is not used for their resources.
References
-
CWE-353 : Missing Support for Integrity Check.