https://api.bitsighttech.com/ratings/v1/companies/company_guid/findings?risk_vector=web_appsec
Get cross-site scripting evidence, including:
- Content Security Policy Configurations
- Cross-Domain Subresource Integrity Check
- Cross-Domain Subresource Integrity Failure
- CSP Violations
For details specific to Web Application Security, use the ?risk_vector=web_appsec parameter. Other query parameters are listed in GET: Finding Details.
Content Security Policy Configurations
[assessmentName = content_security_policy]
Example Response
{
"message": "'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.",
"documentUrl": "url",
"source": "header",
"directive": "script-src",
"value": [
"'unsafe-inline'"
],
"details":"",
"cspSeverity": 10,
"type": 301,
⊕ See additional evidences
}
Response Attributes
| Field | Description |
|---|---|
message String |
A summary of the issue. |
documentUrl String |
The URL used to retrieve the CSP configuration. |
source String |
The location where the CSP configuration was loaded from. |
directive String |
The CSP directive evaluated from a particular piece of evidence. |
value Array |
The value of the CSP directive. |
details String |
|
cspSeverity Integer |
The severity of the CSP directive that will be used for grading. |
type Integer |
The type of HTML resource. |
Cross-Domain Subresource Integrity Check
[assessmentName = cross_domain_subresource_integrity_check]
Example Response
{
"type": "link",
"resource": "url",
"hash": "Integrity attribute missing",
⊕ See additional evidences
}
Response Attributes
| Field | Description |
|---|---|
type String |
The type of HTML resource. |
resource String |
A link to the resource as defined in the web application. |
hash String |
The hash value present in the HTML element. |
Cross-Domain Subresource Integrity Failure
[assessmentName = cross_domain_subresource_integrity_failure]
Example Response
{
"type": "Script",
"resource": "url",
"hash": "Failed to find a valid digest in the 'integrity' attribute for resource 'url' with computed SHA-256 integrity 'CdZ5YfsFUiC3gCJeUOvnoduGoxgDH0EugrrlwIuw+U4='. The resource has been blocked.",
"resolution": "blocked",
⊕ See additional evidences
}
Response Attributes
| Field | Description |
|---|---|
type String |
The type of HTML resource. |
resource String |
A link to the resource as defined in the web application. |
hash String |
The hash value present in the HTML element. |
resolution String |
CSP Violations
[assessmentName = csp_violation]
Example Response
{
"lineNumber": 165,
"resolutionStatus": "blocked",
"message": "Refused to load the script 'url' because it violates the following Content Security Policy directive: \"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.youtube.com\". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.\n",
"resourceUrl": "url",
⊕ See additional evidences
}
Response Attributes
| Field | Description |
|---|---|
lineNumber Integer |
The line number in the source page. |
resolutionStatus String |
The action the browser took when loading the resource. |
message String |
A summary of the issue. |
resourceUrl String |
The resource URL that had the CSP violation. |
-
May 15, 2024: Added
detailsto Content Security Policy Configurations response. - December 12, 2023: Included general finding details; Added table of contents.
- August 11, 2023: Published.
Feedback
2 comments
There appears to be a typo. The Content Security Policy Configurations section has the assessmentName listed as “cross_domain_subresource_integrity_check” when I think it should be “content_security_policy”.
You're correct. Thanks for letting us know! Fixing shortly.
Please sign in to leave a comment.