Detections
Analytics

Invalid Subresource Integrity

medium Web App Scanning Plugin ID 98649

Language:

Synopsis

Invalid Subresource Integrity

Description

Subresource Integrity (SRI) is a web security standard that enables browsers to verify that resources hosted by third parties (CDN for example) are delivered without unexpected manipulation.

SRI works by comparing a cryptographic hash declared in the integrity attribute of the resource tag (like script or link) used to fetch the resource and the calculated hash value of this resource.

A mismatch between integrity attribute hash and calculated hash has been detected for one or more resources.

Solution

Check if third party resources have been modified. If it's a legitimate modification then update the integrity attribute, if not do not continue to use the third party resources.

See Also

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet#Subresource_Integrity

Plugin Details

Severity: Medium

ID: 98649

Type: remote

Published: 8/7/2019

Updated: 7/13/2023

Scan Template: basic, full, overview, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Vulnerability Information

Patch Publication Date: 8/1/2019

Vulnerability Publication Date: 8/1/2019

Reference Information