SampleApp

6:["$","$L18",null,{"children":["$","$L19",null,{"fixes":[{"fix":{"context":["Usage of Ruby for building dynamic and object-oriented applications","Usage of Ruby on Rails for web application development"],"need":"Enforcement of subresource integrity checks","solution":{"insecure_code_example":{"description":"In the above code, the `index` method in `ApplicationController` is setting `@external_js` to be the URL of a JavaScript file hosted on a third-party server. This URL is then being passed to the `javascript_include_tag` helper in the application's layout file, which generates a script tag to load the JavaScript file.\n\nThe vulnerability here is that there is no subresource integrity check being performed on this external JavaScript file. This means that if the third-party server is compromised, or if the file is modified in transit, the application will still execute the JavaScript file without any warnings. This could lead to malicious code being executed in the context of the application, potentially leading to a variety of attacks such as Cross-Site Scripting (XSS).","text":"# app/controllers/application_controller.rb\nclass ApplicationController < ActionController::Base\n def index\n @external_js = 'https://third-party.com/external.js'\n end\nend\n\n# app/views/layouts/application.html.erb\n\n\n\n SampleApp\n <%= javascript_include_tag @external_js %>\n\n\n <%= yield %>\n\n"},"language":"ruby","secure_code_example":{"description":"$1a","text":"# app/controllers/application_controller.rb\nclass ApplicationController < ActionController::Base\n def index\n @external_js = 'https://third-party.com/external.js'\n @external_js_integrity = 'sha384-XXXX' # Replace 'sha384-XXXX' with the actual hash\n end\nend\n\n# app/views/layouts/application.html.erb\n\n\n\n SampleApp\n <%= javascript_include_tag @external_js, integrity: @external_js_integrity, crossorigin: 'anonymous' %>\n\n\n <%= yield %>\n\n"},"steps":["Implement subresource integrity (SRI) checks for external resources.","Generate the integrity hash for the external resource.","Update the view to include the integrity attribute for the external resource.","Verify that the integrity check passes for the external resource."]},"title":"Missing subresource integrity check","vulnerability_id":"086","last_update_time":"09/18/2023"},"lang":"ruby"}],"header":"$L1b","id":"086","vulnerability":{"en":{"title":"Missing subresource integrity check","description":"The application does not properly check the integrity of resources loaded from third-party servers.\n","impact":"Embed compromised resources from a third party server.\n","recommendation":"Add the integrity attribute to HTML script tags.\n","threat":"Unauthorized attacker from the Internet network.\n"},"es":{"title":"Missing subresource integrity check","description":"La aplicación no verifica apropiadamente la integridad de los recursos cargados desde servidores de terceros.\n","impact":"Embeber recursos comprometidos desde un servidor de terceros.\n","recommendation":"Agregar el atributo integrity a las tags script de HTML.\n","threat":"Atacante sin autorización desde la red de Internet.\n"},"category":"Deceptive Interactions","examples":{"non_compliant":"There is no integrity secure attribute set on the script tags\n```html\n\n \n \n \n\n```\n","compliant":"All script tags on the application have the integrity attribute set\n```html\n\n \n \n \n\n```\n"},"remediation_time":"15","score":{"base":{"attack_vector":"N","attack_complexity":"H","privileges_required":"N","user_interaction":"R","scope":"U","confidentiality":"N","integrity":"L","availability":"N"},"temporal":{"exploit_code_maturity":"P","remediation_level":"X","report_confidence":"X"}},"score_v4":{"base":{"attack_vector":"N","attack_complexity":"H","attack_requirements":"N","privileges_required":"N","user_interaction":"P","confidentiality_vc":"N","integrity_vi":"L","availability_va":"N","confidentiality_sc":"N","integrity_si":"N","availability_sa":"N"},"threat":{"exploit_maturity":"P"}},"requirements":["178","262","330"],"metadata":{"en":{"details":"__empty__"}},"last_update_time":"02/12/2024"}}]}]