Html Import Map Missing Integrity
Description
Detects HTML import maps that reference external resources without integrity hashes, which could allow supply chain attacks through malicious script modifications. Import maps that load external URLs without integrity checks are vulnerable to script tampering and code injection attacks.
Detection Strategy
• Search for <script type="importmap"> elements in HTML files
• Parse the JSON content within the import map and check for external URLs in the 'imports' section
• Verify each external URL has a corresponding integrity hash defined in the 'integrity' object
• Report a vulnerability if any external URL lacks an integrity hash value
Vulnerable code example
doctype html
html
head
title Import Maps Without Integrity
body
//- Vulnerable: External CDN import without integrity hash
script(type='importmap').
{...✅ Secure code example
doctype html
html(lang='en')
head
title Import Maps With Integrity
body
//- Secure: Single external CDN import with integrity hash
script(type='importmap').
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.