Cross Domain JavaScript Source File Inclusion

OWASP 2013-A5 OWASP 2017-A6 WASC-13 CWE-829

Cross-domain JavaScript source file inclusion is a security warning that can affect a web application that runs one or more Javascript files from a third-party domain. If the third-party intentionally or unintentionally holds a malicious content, it can be added and executed on the victim’s web application.

This possibility occurs when the external Javascript is not validated. It can lead to the leakage of user data.

Sensitive user data can be user’s authentication data (tokens, session IDs, cookies, etc) or personal information (email, home address, phone numbers, social security numbers, etc).

If a web application with <script> tags fetches data from a cross-origin domain, the fetched data is run on the website as if it is a part of the website. This scenario is favourable for an attacker to execute malicious content on the website.

In some cases, UTF-16 encoding can be imposed by an attacker when the charset of the <script> tag is set. This helps the attacker to leak data that are in different formats like JSON, XML, etc.

When a user sends a request, the script will be updated with the response message. If the response is stored in global variables, everyone can read it. If the sensitive information is included in a JSONP response, the executed function can be overridden to get the sensitive information. This trick can be used for global functions as well. Instead of overriding the executed functions, we may use custom-coded callback functions for global functions.

Suppose if the global namespace isn’t used, protocol tampering can be easily done. This method misuses the JavaScript architecture by passing through the prototype chain to find the called property while interpreting the code.

Impact of Cross-Domain Javascript Source File Inclusion

The impact of this warning includes:

  • Possible execution of malicious javascript

  • Possible user data manipulation and leakage

  • Possible functionality change and redirection of data

  • Malware infection

How to Prevent Cross-Domain Javascript Source File Inclusion

The following are some of the efficient ways to counter Cross-Domain JavaScript Source File Inclusion from taking place:

  • It is advised that owners manage web applications by themselves. You can give the privileges to third parties for managing websites, but be careful that they are publicly recognized and trusted.

  • Avoid placing sensitive information inside javascript files or JSONP.

  • Always try to sanitize user entries that are stored in JSON files.

  • Use subresource integrity. It helps browsers to check whether the fetched resources are unnecessarily manipulated or not.

  • Enable Content Security Policy (CSP).

Latest Articles