Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update missing-sri.yaml with css checks #11338

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+11 −12
Open

Update missing-sri.yaml with css checks #11338

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
becd260
Update missing-sri.yaml with css checks
amarsct Dec 12, 2024
fe507cf
fix indentation
amarsct Dec 12, 2024
b50c88b
Adding rel=stylesheet to ignore false positive
amarsct Dec 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 11 additions & 12 deletions http/misconfiguration/missing-sri.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,16 @@ id: missing-sri

info:
name: Missing Subresource Integrity
author: lucky0x0d,PulseSecurity.co.nz,sullo
author: lucky0x0d, PulseSecurity.co.nz, sullo, amarsct
severity: info
description: |
Checks if script tags within the HTML response have Subresource Integrity implemented via the integrity attribute.
Checks if external script and stylesheet tags in the HTML response are missing the Subresource Integrity (SRI) attribute.
reference:
- https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html#subresource-integrity
- https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
metadata:
max-request: 1
tags: compliance,js,sri,misconfig
tags: compliance,js,css,sri,misconfig

http:
- raw:
Expand All @@ -22,21 +22,20 @@ http:
redirects: true
max-redirects: 5

matchers-condition: and
matchers-condition: or
matchers:
- type: xpath
part: body
xpath:
- "//script[contains(@src,'//') and not(matches(translate(@integrity,'ABCDEFGHIJKLMNOPQRSTUVWXYZ+/-=','abcdefghijklmnopqrstuvwxyz+/-='), '^sha(256|384|512)-'))]"

- type: word
words:
- "text/html"
part: header
- "//script[contains(@src, '//') and (not(@integrity) or not(matches(translate(@integrity, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ+/-=', 'abcdefghijklmnopqrstuvwxyz+/-='), '^sha(256|384|512)-')))]"
- "//link[@rel='stylesheet' and contains(@href, '//') and (not(@integrity) or not(matches(translate(@integrity, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ+/-=', 'abcdefghijklmnopqrstuvwxyz+/-='), '^sha(256|384|512)-')))]"

extractors:
- type: xpath
attribute: src
xpath:
- "//script[contains(@src,'//') and not(matches(translate(@integrity,'ABCDEFGHIJKLMNOPQRSTUVWXYZ+/-=','abcdefghijklmnopqrstuvwxyz+/-='), '^sha(256|384|512)-'))]"
# digest: 4a0a00473045022035cc74528d4015de4becb701fde9486481cc1755194095f79be9ea515b97f28f022100978e639ff5b38a9be40269679b57d3775c3097ff80a8bdb7ea987b5bcf5f19c3:922c64590222798bb761d5b6d8e72950
- "//script[contains(@src, '//') and (not(@integrity) or not(matches(translate(@integrity, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ+/-=', 'abcdefghijklmnopqrstuvwxyz+/-='), '^sha(256|384|512)-')))]"
- type: xpath
attribute: href
xpath:
- "//link[@rel='stylesheet' and contains(@href, '//') and (not(@integrity) or not(matches(translate(@integrity, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ+/-=', 'abcdefghijklmnopqrstuvwxyz+/-='), '^sha(256|384|512)-')))]"