Invalid Subresource Integrity

medium Web Application Scanning Plugin ID 98649

Synopsis

Invalid Subresource Integrity

Description

Subresource Integrity (SRI) is a web security standard that enables browsers to verify that resources hosted by third parties (CDN for example) are delivered without unexpected manipulation.

SRI works by comparing a cryptographic hash declared in the integrity attribute of the resource tag (like script or link) used to fetch the resource and the calculated hash value of this resource.

A mismatch between integrity attribute hash and calculated hash has been detected for one or more resources.

Solution

Check if third party resources have been modified. If it's a legitimate modification then update the integrity attribute, if not do not continue to use the third party resources.

See Also

https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet#Subresource_Integrity

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

Plugin Details

Severity: Medium

ID: 98649

Type: remote

Published: 8/7/2019

Updated: 11/26/2021

Scan Template: scan, pci, overview

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

CVSS Score Source: Tenable

Vulnerability Information

Patch Publication Date: 8/1/2019

Vulnerability Publication Date: 8/1/2019

Reference Information