2023-09-04 11:24:46 +00:00
id : missing-sri
2023-10-14 11:27:55 +00:00
2023-08-25 03:28:32 +00:00
info :
2023-09-04 11:24:46 +00:00
name : Missing Subresource Integrity
2024-08-23 14:39:57 +00:00
author : lucky0x0d,PulseSecurity.co.nz,sullo
2023-08-25 03:28:32 +00:00
severity : info
description : |
2024-08-23 14:39:57 +00:00
Checks if script tags within the HTML response have Subresource Integrity implemented via the integrity attribute.
2023-08-25 03:28:32 +00:00
reference :
- https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html#subresource-integrity
2024-08-23 14:39:57 +00:00
- https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
2023-08-25 03:28:32 +00:00
metadata :
max-request : 1
2023-09-04 11:26:03 +00:00
tags : compliance,js,sri,misconfig
2023-08-25 03:28:32 +00:00
http :
- raw :
- |
GET / HTTP/1.1
Host : {{Hostname}}
redirects : true
max-redirects : 5
2023-10-14 11:27:55 +00:00
2023-08-25 03:28:32 +00:00
matchers-condition : and
matchers :
- type : xpath
part : body
xpath :
2024-08-23 14:49:00 +00:00
- "//script[contains(@src,'//') and not(matches(translate(@integrity,'ABCDEFGHIJKLMNOPQRSTUVWXYZ+/-=','abcdefghijklmnopqrstuvwxyz+/-='), '^sha(256|384|512)-'))]"
2023-08-25 03:28:32 +00:00
- type : word
words :
- "text/html"
part : header
extractors :
- type : xpath
attribute : src
xpath :
2024-08-23 14:49:00 +00:00
- "//script[contains(@src,'//') and not(matches(translate(@integrity,'ABCDEFGHIJKLMNOPQRSTUVWXYZ+/-=','abcdefghijklmnopqrstuvwxyz+/-='), '^sha(256|384|512)-'))]"
2024-09-05 04:40:10 +00:00
# digest: 4a0a004730450221009006d0edc711f674db98cd8d397c38ad75ace6acd39c2d0d6af8264ba999218702206ff23f350934532e43608643107931a06f89cf80d013269aabe053b04b87ee77:922c64590222798bb761d5b6d8e72950
