Missing Subresource Integrity Security Misconfiguration Scanner

This scanner detects issues related to Missing Subresource Integrity in the implementation of web resources. Subresource Integrity (SRI) is vital in ensuring that third-party resources have not been tampered with, thereby protecting websites and users from potential scripts or content modifications. Organizations and web developers who rely on integrated scripts in their HTML pages must enforce SRI to maintain security and trustworthiness of the content served. Without SRI, there's a potential risk that an attacker could alter scripts, leading to unauthorized actions on a user's browser. Utilizing this scanner, security professionals can identify pages that fail to implement this security measure, providing an opportunity to correct the oversight and mitigate risk. Implementing effective SRI safeguards should be part of a robust web application's security posture.

The Security Misconfiguration in this context refers to the lack of integrity checking on resources fetched by a web page. When scripts or assets are referenced from third-party sources without integrity checks, there's an increased risk that an attacker could replace these assets with malicious counterparts. This vulnerability stems from neglecting to use the 'integrity' attribute within script or link tags in HTML. By incorporating SRI, a hash is associated with the resource, allowing the browser to verify its authenticity before execution. This step is crucial in guarding against a range of attacks that stem from modified scripts. By detecting the absence of SRI, one can proactively prevent potential security breaches.

Technically, the vulnerability appears within HTML script or link tags that fetch resources from external domains. The missing 'integrity' attribute alongside these tags is a clear indicator of the vulnerability. The 'integrity' attribute should accompany the script tag within the HTML, typically alongside a 'crossorigin' attribute for cross-origin requests. The vulnerability impacts web applications that use external JavaScript or CSS resources and do not enforce integrity verification through these attributes. Analyzing the HTML output to ensure the presence and correctness of SRI is a critical step in ensuring web security, and this scanner accomplishes that by evaluating the integrity attribute usage precisely.

Failure to implement SRI can lead to severe consequences, primarily if the remote resource is altered maliciously. Attackers could inject malicious code, leading to website defacement, data breaches, or client-side exploits. This security laxity can also affect the confidentiality, integrity, and availability of the web service, leading to heightened downtime and reputational damage. Without strict resource checks, users visiting the site may unknowingly execute harmful scripts, falling victim to attacks such as XSS or session hijacking. Ensuring robust SRI implementation averts these potential threats by confirming the authenticity of external scripts and assets.

REFERENCES

• https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html#subresource-integrity
• https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity