Insecure Resource
ID |
html.insecure_resource |
Severity |
high |
Resource |
Information Leak |
Language |
Html |
Tags |
CWE:319, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.5.4, PCI-DSS:6.5.6 |
Description
This rule identifies instances where resources are loaded over an insecure HTTP connection, which can lead to man-in-the-middle attacks.
Rationale
When resources such as scripts, images, or stylesheets are loaded over an unencrypted HTTP connection in HTML, it exposes the application to potential interception and tampering by attackers. This can lead to unauthorized access, data breaches, and compromise of the web application’s integrity.
Consider the following example:
<!DOCTYPE html>
<html>
<head>
<title>Insecure Resource Example</title>
<link rel="stylesheet" type="text/css" href="http://example.com/style.css"> <!-- FLAW -->
<script src="http://example.com/script.js"></script> <!-- FLAW -->
</head>
<body>
<h1>Hello World!</h1>
</body>
</html>In this code snippet, both the stylesheet and the script are loaded over the HTTP protocol, making them vulnerable to interception and modification by attackers.
Remediation
To remediate this issue, ensure that all resources are loaded over a secure HTTPS connection. This encrypts the data in transit and prevents eavesdropping and tampering.
Here’s the corrected version of the previous example:
<!DOCTYPE html>
<html>
<head>
<title>Secure Resource Example</title>
<link rel="stylesheet" type="text/css" href="https://example.com/style.css">
<script src="https://example.com/script.js"></script>
</head>
<body>
<h1>Hello World!</h1>
</body>
</html>By changing the protocol from http to https, the resources are now loaded securely, significantly reducing the risk of attack. Additionally, ensure that the web server and resources are properly configured to handle HTTPS requests and that valid SSL/TLS certificates are in place.
Configuration
The detector has the following configurable parameters:
-
allowedDomains, that indicates the domains that are allowed, even when using an insecure protocol.
References
-
CWE-319 : Cleartext Transmission of Sensitive Information.