html.security.audit.missing-integrity.missing-integrity
returntocorpAuthor
unknown
Download Count*
License
This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files.
Run Locally
Run in CI
Defintion
rules:
- id: missing-integrity
metadata:
category: security
technology:
- html
cwe:
- "CWE-353: Missing Support for Integrity Check"
owasp:
- A08:2021 - Software and Data Integrity Failures
confidence: LOW
references:
- https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
patterns:
- pattern-either:
- pattern: <script $...A >...</script>
- pattern: <link $...A >
- metavariable-pattern:
metavariable: $...A
patterns:
- pattern-either:
- pattern: src='... :// ...'
- pattern: src="... :// ..."
- pattern: href='... :// ...'
- pattern: href="... :// ..."
- pattern: src='//...'
- pattern: src="//..."
- pattern: href='//...'
- pattern: href="//..."
- pattern-not-regex: (?is).*integrity=
- pattern-not-regex: (google-analytics.com|fonts.googleapis.com|googletagmanager.com)
paths:
include:
- "*.html"
message: This tag is missing an 'integrity' subresource integrity attribute. The
'integrity' attribute allows for the browser to verify that externally
hosted files (for example from a CDN) are delivered without unexpected
manipulation. Without this attribute, if an attacker can modify the
externally hosted resource, this could lead to XSS and other types of
attacks. To prevent this, include the base64-encoded cryptographic hash of
the resource (file) you’re telling the browser to fetch in the 'integrity'
attribute for all externally hosted files.
severity: WARNING
languages:
- generic
Examples
missing-integrity.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
<!-- ruleid: missing-integrity -->
<script src='https://somewhere-external.com/something-external.js'></script>
<!-- ruleid: missing-integrity -->
<script src='//somewhere-external.com/something-external.js'></script>
<!-- ok: missing-integrity -->
<script src="https://somewhere-external.com/something-external.js" integrity="sha512-blahblah"></script>
<!-- ok: missing-integrity -->
<script src="./something-internal.js"></script>
<!-- ok: missing-integrity -->
<script>console.log('something')</script>
<!-- ruleid: missing-integrity -->
<link href="https://somewhere-external.com/something-external.css" rel="stylesheet">
<!-- ruleid: missing-integrity -->
<link rel="stylesheet" href="https://somewhere-external.com/something-external.css">
<!-- ok: missing-integrity -->
<link href="https://somewhere-external.com/something-external.css" rel="stylesheet"
integrity="sha512-blahblah">
<!-- ok: missing-integrity -->
<link rel="stylesheet" type="text/css" href="./something-internal.css" />
<!-- ok: missing-integrity -->
<script src="https://www.googletagmanager.com/gtag/js?id=GA_TRACKING_ID"></script>
<!-- ok: missing-integrity -->
<script src="https://www.google-analytics.com/analytics.js"></script>
<!-- ok: missing-integrity -->
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Tangerine">
<!-- ok: missing-integrity -->
<link rel="stylesheet" href="https://someurl/style.css" integrity="sha256-somehashdigest">
<!-- ok: missing-integrity -->
<link rel="stylesheet" href="./css/mystyle.css">
</head>
<body>
</body>
</html>
Short Link: https://sg.run/krXA