Skip to main content

Missing subresource integrity check

Description

The application does not properly check the integrity of resources loaded from third-party servers.

Impact

Embed compromised resources from a third party server.

Recommendation

Add the integrity attribute to HTML script tags.

Threat

Unauthorized attacker from the Internet network.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: H
  • User interaction: R
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:X
  • Score:
    • Base: 2.0
    • Temporal: 1.9
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

All script tags on the application have the integrity attribute set

<html>
<head>
<script src="https://bam-cell.nr-data.net/thing.js"
integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo"
crossorigin="anonymous">
</script>
</head>
</html>

Non compliant code

There is no integrity secure attribute set on the script tags

<html>
<head>
<script src="https://bam-cell.nr-data.net/thing.js"></script>
</head>
</html>

Requirements