Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5730

Allowing mixed-content is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure allowing mixed-content is safe here.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Covered Languages:
      JavaScript
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      60min
    • Analysis Level:
      Control-flow Analysis
    • Analysis Scope:
      Main Sources
    • OWASP:
      A3

      Description

      A mixed-content is when a resource is loaded with the HTTP protocol, from a website accessed with the HTTPs protocol, thus mixed-content are not encrypted and exposed to MITM attacks and could break the entire level of protection that was desired by implementing encryption with the HTTPs protocol.

      The main threat with mixed-content is not only the confidentiality of resources but the whole website integrity:

      • A passive mixed-content (eg: <img src="http://example.com/picture.png">) allows an attacker to access and replace only these resources, like images, with malicious ones that could lead to successful phishing attacks.
      • With active mixed-content (eg: <script src="http://example.com/library.js">) an attacker can compromise the entire website by injecting malicious javascript code for example (accessing and modifying the DOM, steal cookies, etc).

      Ask Yourself Whether

      • The HTTPS protocol is in place and external resources are fetched from the website pages.

      There is a risk if you answered yes to this question.

      Recommended Secure Coding Practices

      Implement content security policy block-all-mixed-content directive which is supported by all modern browsers and will block loading of mixed-contents.

      See

        Attachments

        1.
        JavaScript RSPEC-5731 Language-Specification Active Unassigned

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            eric.therond Eric Therond
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: