Invalid Sub-Resource Integrity values detected
Description
JavaScript or CSS source files were found to contain invalid
Sub-Resource Integrity (SRI)
integrity
values or a missing crossorigin
value. These scripts or links should be investigated to
ensure they have not been maliciously altered. If in doubt, contact the owner of the scripts or replace
them with known good versions.
Remediation
All identified resources should be sourced from the same domain as the target application. If this is not
possible, it is strongly recommended that all script
tags that implement src
values, or link
tags
that implement the href
values include Sub-Resource Integrity. To generate SRI integrity values the
SRI hash tool can be used, or by running one of the following commands:
-
cat FILENAME.js | openssl dgst -sha384 -binary | openssl base64 -A
-
shasum -b -a 384 FILENAME.js | awk '{ print $1 }' | xxd -r -p | base64
The output of these tools must be added as additional attributes, in particular: integrity
and either
crossorigin=anonymous
or crossorigin=use-credentials
.
An example of a valid SRI protected script tag can be found below:
<script src="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
829.2 | true | 829 | Passive | Medium |