Ritik Chaddha
GitHub
commit
5c5f071907
|
|
@ -2,12 +2,13 @@ id: missing-sri
|
|||
|
||||
info:
|
||||
name: Missing Subresource Integrity
|
||||
author: lucky0x0d,PulseSecurity.co.nz
|
||||
author: lucky0x0d,PulseSecurity.co.nz,sullo
|
||||
severity: info
|
||||
description: |
|
||||
Checks if script tags within the HTML response have Subresource Integrity implemented via the integrity attribute
|
||||
Checks if script tags within the HTML response have Subresource Integrity implemented via the integrity attribute.
|
||||
reference:
|
||||
- https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html#subresource-integrity
|
||||
- https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
|
||||
metadata:
|
||||
max-request: 1
|
||||
tags: compliance,js,sri,misconfig
|
||||
|
|
@ -26,7 +27,7 @@ http:
|
|||
- type: xpath
|
||||
part: body
|
||||
xpath:
|
||||
- "//script[contains(@src,'//') and not(contains(translate(@integrity,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz'),'^sha'))]"
|
||||
- "//script[contains(@src,'//') and not(matches(translate(@integrity,'ABCDEFGHIJKLMNOPQRSTUVWXYZ+/-=','abcdefghijklmnopqrstuvwxyz+/-='), '^sha(256|384|512)-'))]"
|
||||
|
||||
- type: word
|
||||
words:
|
||||
|
|
@ -37,6 +38,6 @@ http:
|
|||
- type: xpath
|
||||
attribute: src
|
||||
xpath:
|
||||
- "//script[contains(@src,'//') and not(contains(translate(@integrity,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz'),'^sha'))]"
|
||||
- "//script[contains(@src,'//') and not(matches(translate(@integrity,'ABCDEFGHIJKLMNOPQRSTUVWXYZ+/-=','abcdefghijklmnopqrstuvwxyz+/-='), '^sha(256|384|512)-'))]"
|
||||
|
||||
# digest: 4a0a0047304502200e29fdf3695b4eadfb362a6ec5332dff4696a4564e73a096a609363b81776126022100a0e6443350ecc806ce4da1a80d628339d3515f387129fc50651ee687b8265bb8:922c64590222798bb761d5b6d8e72950
|
||||
|
|
|
|||
Loading…
Reference in New Issue