Missing subresource integrity
About A08:2021 — Software & Data Integrity
Integrity failures happen when an app trusts data or code it shouldn't — running unsigned updates, deserializing untrusted JSON into native objects, pulling code from a CDN without subresource integrity. The SolarWinds breach was a software-integrity failure on a national scale.
Impact: Insecure deserialization can mean remote code execution: the attacker sends a crafted payload that, when deserialized, instantiates dangerous classes or triggers method calls. Missing subresource integrity means a CDN compromise becomes your compromise.
How to fix it: Don't deserialize untrusted input into native objects — use plain JSON parsing and validate the shape. Add subresource integrity hashes to third-party scripts. Sign software updates and verify signatures before applying. Prefer signed-commits and pinned versions in dependency management.
Common patterns in this category:
- `JSON.parse` followed by direct property access without schema validation
- Native deserialization (e.g. node-serialize, pickle) on user input
- `<script src="https://cdn...">` without `integrity=` attribute
- Auto-update mechanisms that don't verify package signatures
- CI/CD pipelines that pull from un-pinned tags
Compliance coverage
Findings from this rule map to the following framework controls:
See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.
Scan your code for VC071 and 157 other rules
Free, no signup. Drag and drop a zip or run npx xploitscan scan .