How to remediate – Mixed Resource Detection

1. Introduction

Mixed Resource Detection occurs when a website uses both secure HTTPS and unencrypted HTTP connections for different resources on the same page. This creates a security risk as attackers can intercept data sent over the insecure HTTP channel, even though the main site appears to be secure. It affects websites of all sizes that haven’t fully transitioned to HTTPS. A successful attack could compromise user data and undermine trust in the website. Confidentiality is most at risk, with potential impacts on integrity and availability if the site becomes unstable due to detection or mitigation efforts.

2. Technical Explanation

The root cause of Mixed Resource Detection is serving some resources over HTTP while the main page is served over HTTPS. An attacker can exploit this by intercepting traffic sent over the unencrypted HTTP connection, potentially stealing sensitive information like cookies or login credentials. The preconditions for exploitation are a website using both HTTP and HTTPS, and a user accessing the site over HTTPS.

• Root cause: Serving resources (images, scripts, stylesheets) via HTTP when the main page is served via HTTPS.
• Exploit mechanism: An attacker intercepts the HTTP request for an unencrypted resource using a man-in-the-middle attack and steals any data transmitted. For example, intercepting a script file containing user session information.
• Scope: Websites utilising both HTTP and HTTPS protocols.

3. Detection and Assessment

You can confirm vulnerability by checking your browser’s developer tools or using an online scanner. A thorough method is to scan the entire website for mixed content issues.

• Quick checks: Open a page in your browser, open Developer Tools (usually F12), and check the Console tab for warnings about “mixed content”.
• Scanning: Use tools like SSL Labs Server Test (https://www.ssllabs.com/ssltest/) or Qualys SSL Labs to identify mixed content issues. These are examples only, and results should be verified manually.
• Logs and evidence: Web server logs may show requests for resources over both HTTP and HTTPS. Look for warnings in browser console output.

curl -I https://example.com/page-with-mixed-content | grep "Content-Type" 

4. Solution / Remediation Steps

To fix this issue, ensure all resources are served over HTTPS. Update your website’s code and configuration to use secure URLs for all assets.

4.1 Preparation

• No services need stopping, but plan for potential downtime during code deployment. Roll back by restoring the backup or reverting code changes.
• Changes should be approved by a senior developer or IT manager.

4.2 Implementation

1. Step 1: Update all URLs in your website’s HTML, CSS, and JavaScript files to use HTTPS instead of HTTP.
2. Step 2: Check your content management system (CMS) settings for any hardcoded HTTP links and update them to HTTPS.
3. Step 3: If using a CDN, ensure it’s configured to serve assets over HTTPS.
4. Step 4: Configure the web server to redirect all HTTP traffic to HTTPS.

4.3 Config or Code Example

Before

<img src="http://example.com/image.jpg" alt="Example Image">

After

<img src="https://example.com/image.jpg" alt="Example Image">

4.4 Security Practices Relevant to This Vulnerability

• Least privilege: Limit access to website files and configuration to reduce the risk of malicious changes.
• Input validation: Ensure all user-supplied data is validated to prevent injection attacks that could lead to mixed content issues.
• Secure headers: Implement HTTP Strict Transport Security (HSTS) to force browsers to use HTTPS for your site.

4.5 Automation (Optional)

# Example Bash script to find HTTP links in HTML files
find /var/www/html -name "*.html" -print0 | xargs -0 grep -l "http://" | while read file; do
  sed -i 's/http:///https:///g' "$file"
done
# Caution: This script modifies files in place. Back up your website before running it!

5. Verification / Validation

Confirm the fix by re-running the earlier checks and verifying that no mixed content warnings are present. Test key user actions to ensure functionality remains intact.

• Post-fix check: Open a page in your browser, open Developer Tools (F12), and confirm there are no “mixed content” warnings in the Console tab.
• Re-test: Re-run the SSL Labs Server Test (https://www.ssllabs.com/ssltest/) and verify that it reports no mixed content issues.
• Smoke test: Verify that key website features, such as login, form submission, and image loading, work correctly over HTTPS.

curl -I https://example.com/page-with-mixed-content | grep "Content-Type" # Should only show HTTPS content types

6. Preventive Measures and Monitoring

Update security baselines to enforce HTTPS for all resources, and add checks in your CI/CD pipeline to prevent mixed content issues from being deployed.

• Baselines: Update CIS benchmarks or internal security policies to require all website resources be served over HTTPS.
• Asset and patch process: Review website configurations regularly (e.g., monthly) to ensure continued compliance with HTTPS standards.

7. Risks, Side Effects, and Roll Back

Potential risks include broken functionality if URLs are updated incorrectly or compatibility issues with older browsers. Roll back by restoring the backup or reverting code changes.

• Risk or side effect 2: Compatibility issues with older browsers that don’t support TLS 1.2. Mitigation: Monitor browser usage and consider providing a fallback solution for legacy browsers if necessary.

8. References and Resources

• Vendor advisory or bulletin: N/A
• NVD or CVE entry: http://cwe.mitre.org/data/definitions/319
• Product or platform documentation relevant to the fix: