Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Subresource Integrity (SRI) Not Implemented - Vulnerability Database

Subresource Integrity (SRI) Not Implemented

Description

Subresource Integrity (SRI) is a browser security mechanism that validates the integrity of third-party resources loaded from external sources such as Content Delivery Networks (CDNs). When implemented, SRI uses cryptographic hashes to ensure that scripts, stylesheets, and other resources have not been tampered with during transit or at the source.

This application loads external scripts without implementing SRI protection. Without integrity verification, the browser cannot detect if a third-party resource has been modified, either maliciously by an attacker who has compromised the CDN, or inadvertently through transmission errors. SRI is implemented by adding an 'integrity' attribute containing a cryptographic hash (SHA-256, SHA-384, or SHA-512) to HTML elements that load external resources.

Remediation

Implement Subresource Integrity for all externally hosted scripts and stylesheets by adding the 'integrity' and 'crossorigin' attributes to the respective HTML elements. Follow these steps:

1. Generate a cryptographic hash of the external resource using SHA-384 or SHA-512 (SHA-256 is acceptable but less preferred). You can use the SRI Hash Generator tool referenced below or generate hashes using command-line tools.

2. Add the 'integrity' attribute with the generated hash and the 'crossorigin' attribute to your script or link tags.

Example implementation for an external JavaScript file: 

<script src="https://cdn.example.com/library-1.2.3.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
        crossorigin="anonymous"></script>
Example implementation for an external CSS file: 
<link rel="stylesheet" href="https://cdn.example.com/styles-1.2.3.css"
      integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
      crossorigin="anonymous">
3. The 'crossorigin="anonymous"' attribute is required for SRI to work with resources from different origins. It ensures the browser performs CORS checks without sending credentials.

4. Update the integrity hash whenever you update the external resource version, as the hash must match the exact content of the file.

Note: Ensure your CDN supports CORS headers for SRI to function properly. Test thoroughly after implementation to verify resources load correctly.

References

Subresource Integrity
SRI Hash Generator

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration
Web Cache Poisoning through HTTP/2 pseudo-headers High
Common tags: Configuration
qdPM Information Disclosure High
Common tags: Configuration
Python Debugger Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Inspector Unauthorized Access Vulnerability High
Common tags: Configuration

Severity

Information

Classification

CWE-830
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration