Cross-Domain Subresource Integrity (SRI) Failures are scanned as part of the Cross-site Scripting Security Tests used to evaluate the Web Application Security Risk Vector.
In this security test, we assess if there are any integrity mismatches where a provided SRI hash does not match the actual script content. This usually means that the resource was modified without the knowledge of the website owner, potentially with malicious intent.
SRI checks allow website owners and website visitors to ensure that resources that are loaded match what was originally intended and were not manipulated. A failure means that the resource was modified without the knowledge of the website owner.
Need to fix this?
- Update the digests on the website to reflect any changes in third-party resources.
By doing so you will track and identify any malicious changes that may have been added.
How can I check the cross domain subresource integrity failures in my web application?
Use Chrome Developer Tools (Console) to detect any errors related with any failure to find a valid digest in the 'integrity' attribute for a resource.
Does this impact my WAS Risk Vector Grade? Yes.
Possible Grades:
- Good (Weight = 0)
- Warn: Website has invalid digest for at least one cross-origin resource. (Weight = 10 and 50)
What will I see in the Portal?
Details: A cross-domain fetched script's hash does not match the provided integrity value.
Good to Know:
- Certain scripts cannot have the integrity attribute set. Learn more about excluded scripts here.
- Learn more about subresource integrity (SRI) on the Bitsight blog or refer to Mozilla's developer documentation on Subresource Integrity.
Feedback
0 comments
Please sign in to leave a comment.