Security Test: Configuration_SubresourceIntegrityMissing¶

Description¶

A missing Subresource Integrity (SRI) attribute allows attackers to tamper with external scripts, potentially injecting malicious code.

Configuration¶

Identifier: configuration/subresource_integrity_missing

Examples¶

Ignore this check¶

checks:
  configuration/subresource_integrity_missing:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: A08:2021
OWASP LLM: LLM04:2023
pci: 6.5.5
gdpr: Article-32
soc2: CC7
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: SI-11

Classification¶

CWE: 354

Score¶

CVSS_VECTOR: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS_SCORE: 7.5

References¶

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
- https://owasp.org/www-community/controls/Subresource_Integrity

Remediation¶

Implement Subresource Integrity (SRI) by adding the integrity attribute to externally loaded scripts and stylesheets. Ensure that the integrity value is computed using a cryptographic hash function such as SHA-256, SHA-384, or SHA-512. Additionally, use the crossorigin attribute to prevent credentials from being sent with the request, enhancing security.

Frontend Specific¶

React

Ensure that all externally loaded scripts in React applications use the `integrity` attribute with a valid cryptographic hash and set `crossorigin="anonymous"` when needed.

Angular

Use the `integrity` attribute for all external script and stylesheet imports to prevent unauthorized modifications.

Vue

Implement Subresource Integrity by adding the `integrity` attribute to all external resource links.

Svelte

Ensure that Svelte applications enforce Subresource Integrity by using properly hashed and integrity-checked external scripts.

Ember

Use Subresource Integrity for all external assets by specifying a valid `integrity` hash in script and link elements.

Backbone

Apply Subresource Integrity in Backbone applications by ensuring all external resources include the `integrity` attribute.

Preact

Implement SRI in Preact applications by adding cryptographic hashes for all externally loaded scripts.

Gatsby

Configure Gatsby applications to use the `integrity` attribute for all remote scripts and stylesheets.

Blazor

Ensure that Blazor applications enforce SRI by adding integrity attributes to all external resources.

Marko

Use Subresource Integrity in Marko applications by ensuring that external resources are validated using cryptographic hashes.

Mithril

Ensure that Mithril applications use the `integrity` attribute for all externally loaded resources.