ZAP – Sub Resource Integrity Attribute Missing

Details
Alert ID	90003
Alert Type	Passive
Status	beta
Risk	Medium
CWE	345
WASC	15
Technologies Targeted	All
Tags	CWE-345 OWASP_2017_A06 OWASP_2021_A05
More Info	Scan Rule Help

Summary

The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.

Solution

Provide a valid integrity attribute to the tag.

Other Info

The following hash was calculated (using base64 encoding of the output of the hash algorithm: SHA-384) for the script in question sha384-PJww2fZl501RXIQpYNSkUcg6ASX9Pec5LXs3IxrxDHLqWK7fzfiaV2W/kCr5Ps8G

References

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

Code

org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java