-
Notifications
You must be signed in to change notification settings - Fork 68
HTTP_RESOURCES_WITH_NODE_INTEGRATION_GLOBAL_CHECK
Lorenzo Stella edited this page Oct 29, 2019
·
3 revisions
HTTPResourcesAndNodeIntegrationGlobalCheck - Review the use of plain HTTP resources loaded in node-integrated contexts
This global check looks for content fetched over HTTP in containers having nodeIntegration enabled.
Using plain-text HTTP opens your application to Man-in-the-Middle attacks and if nodeIntegration is enabled, exposes its users to Remote Code Execution scenarios. You can read more information about the risks associated to the vulnerability in the HTTP Resources HTML/JS check and nodeIntegration HTML/JS check wiki pages.
Combined use of the nodeIntegration property with unencrypted content can expose users to remote code execution vulnerabilities.
It is suggested to verify whether the fetched resources can be abused to run arbitrary code or influence the application's flow.
- https://github.com/doyensec/electronegativity/wiki/HTTP_RESOURCES_HTML_CHECK
- https://github.com/doyensec/electronegativity/wiki/HTTP_RESOURCES_JS_CHECK
- https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_HTML_CHECK
- https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_JS_CHECK