Html Missing Subresource Integrity
Description
Missing Subresource Integrity (SRI) allows attackers to modify external JavaScript or CSS resources without detection, potentially leading to malicious code execution. SRI prevents this by requiring cryptographic hashes that validate the integrity of fetched resources before they are loaded by the browser.
Detection Strategy
• Scans HTML files for <script> and <link> elements that reference external resources
• Checks if the referenced URL points to an external domain (not same-origin)
• Verifies the resource type is supported (JavaScript or CSS)
• Reports a vulnerability if the element lacks an 'integrity' attribute containing a cryptographic hash
Vulnerable code example
doctype html
html
head
title Vulnerable Page
// Vulnerable: Loading resources over insecure HTTP protocol
link(rel='stylesheet', href='http://fonts.googleapis.com/css?family=Roboto:300,400', type='text/css')
script(src='//ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js') // Protocol-relative URL can fall back to HTTP
link(rel='stylesheet', href='http://somecdn.com/styles.css')✅ Secure code example
doctype html
html(lang='en')
head
title Vulnerable Page
meta(charset='utf-8')
meta(name='viewport' content='width=device-width, initial-scale=1.0')
// Fixed: Using HTTPS with SRI hashes and crossorigin attribute
link(rel='stylesheet', ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.