HawkScan Test Info for Sub Resource Integrity Attribute Missing

Sub Resource Integrity Attribute Missing

Reference

Plugin Id: 90003 | CWE: 345

Remediation

To remediate the “Sub Resource Integrity Attribute Missing” vulnerability, the integrity attribute should be added to all script and link tags served by external servers. The integrity attribute ensures that the content being loaded is not tampered with and matches the expected content. This prevents attackers who have gained access to the server from injecting malicious content.

To add the integrity attribute, follow these steps:

  1. Identify all script and link tags served by external servers: Review the codebase and identify all instances where external scripts or stylesheets are being loaded.

  2. Obtain the integrity value: Contact the provider of the external resource and request the integrity value for the specific version of the resource you are using. This value is typically provided by the resource provider and can be found in their documentation or on their website.

  3. Add the integrity attribute: Once you have obtained the integrity value, add the integrity attribute to the script or link tag. The attribute should have the format integrity="sha256-<integrity value>".

Example of adding the integrity attribute to a script tag:

<script src="https://example.com/external-script.js" integrity="sha256-abcdef1234567890"></script>

Example of adding the integrity attribute to a link tag:

<link rel="stylesheet" href="https://example.com/external-stylesheet.css" integrity="sha256-abcdef1234567890">

By adding the integrity attribute, you can ensure that the external resources are not tampered with and protect against potential attacks.

About

The “Sub Resource Integrity Attribute Missing” vulnerability occurs when the integrity attribute is missing on a script or link tag served by an external server. The integrity attribute is a security feature that allows the browser to verify that the content being loaded matches the expected content. Without the integrity attribute, an attacker who has gained access to the server hosting the external resource could inject malicious content, potentially compromising the security and integrity of the website.

Risks

The risks associated with the “Sub Resource Integrity Attribute Missing” vulnerability include:

  1. Malicious content injection: Without the integrity attribute, an attacker who has gained access to the server hosting the external resource can inject malicious content. This content could be used to perform various attacks, such as cross-site scripting (XSS) or data exfiltration.

  2. Compromised user data: If an attacker is able to inject malicious content through the missing integrity attribute, they may be able to compromise user data, such as login credentials or personal information. This can lead to identity theft, financial loss, or other serious consequences for the affected users.

  3. Damage to reputation: If a website is found to be vulnerable to the “Sub Resource Integrity Attribute Missing” vulnerability and is exploited by attackers, it can damage the reputation of the website and the organization behind it. Users may lose trust in the website’s security and be hesitant to use its services or provide sensitive information.

It is important to address this vulnerability by adding the integrity attribute to all script and link tags served by external servers to mitigate the risks associated with it.