Cross Site Script Inclusion


Description

The application is vulnerable to cross site script inclusion. The application uses a library hosted on a third-party domain.  These third-party scripts are not controlled by the organization and they execute in the context of the current domain and with privileges of existing scripts. Attackers who have compromised the third-party host can bypass same origin policies and execute attacks against the application.

Impact

Since the externally-hosted script is not controlled by the organization, changes can be made that affect the security and functionality of the application. If an attacker can compromise the third party and inject malicious code into the script, they can attack users of the application. A third-party malicious script will execute with the same privileges as local scripts such as accessing application data and performing actions available to the current user.  Third-party scripts may also lead to a disclosure of sensitive information as the third-party organization will have access to application requests for the scripts which include HTTP headers and potentially information about resources being requested by users. There is also the risk that changes in the third-party scripts could impact the application causing downtime or improper or unexpected behavior.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply