-
Notifications
You must be signed in to change notification settings - Fork 68
HTTP_RESOURCES_WITH_NODE_INTEGRATION_GLOBAL_CHECK
Anthony Trummer edited this page Jan 6, 2022
·
3 revisions
HTTP_RESOURCES_WITH_NODE_INTEGRATION_GLOBAL_CHECK - Review the use of plain HTTP resources loaded in node-integrated contexts
This global check looks for content fetched over HTTP in containers having nodeIntegration enabled.
Using plain-text HTTP opens your application to Man-in-the-Middle attacks and if nodeIntegration is enabled, exposes its users to Remote Code Execution scenarios. You can read more information about the risks associated with the vulnerability in the HTTP Resources HTML/JS check and nodeIntegration HTML/JS check wiki pages.
Combined use of the nodeIntegration property with unencrypted content can expose users to remote code execution vulnerabilities.
Verification is suggested to determine whether the fetched resources can be abused to run arbitrary code or influence the application's flow.
- https://github.com/doyensec/electronegativity/wiki/HTTP_RESOURCES_HTML_CHECK
- https://github.com/doyensec/electronegativity/wiki/HTTP_RESOURCES_JS_CHECK
- https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_HTML_CHECK
- https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_JS_CHECK