XSSI (Cross Site Script Inclusion)
Vulnerability: Cross Site Script Inclusion (XSSI)
Overview:
XSSI, or Cross Site Script Inclusion, is a security vulnerability that facilitates the unauthorized leakage of sensitive data from one domain to another. This includes critical information like login credentials, tokens, cookies, session IDs, and personal user data such as mobile numbers, credit card information, emails, and addresses.
Understanding XSSI:
Same Origin Policy (SOP):
SOP restricts websites from accessing data from domains other than their own.
Notably, HTML
<script>
tags are exempt from SOP to enable third-party service consumption, traffic analysis, and Ad-Platform usage.
Dynamic Javascript:
Dynamic JavaScript code expects session tokens to fetch specific data.
Detection involves comparing responses from authenticated and non-authenticated requests; differing responses indicate dynamic JS.
XSSI Attack Scenario:
Detection of Dynamic JS:
Identify dynamic JS files using tools like the Burp plugin DetectDynamicJS or manual inspection.
Example:
A dynamic JS function, e.g.,
info.js
athttps://testsite.com/info.js
, responds differently with and without session cookies.
Attack Steps:
An attacker hosts a site (e.g.,
attacker.com
) and injects code into its HTML.
The injected code fetches sensitive data from
https://vulnsite.com/p/?showinfo=abc
and sends it to the attacker's server.
Victim Interaction:
The attacker delivers the URL
https://attacker.com/index.html
to an authenticated victim.Victim data is fetched, and the attacker can monitor it on their log server.
Remediation:
Avoid Interpolating Sensitive Data:
Refrain from interpolating sensitive data in JavaScript files.
Use JSON URLs:
Utilize JSON URLs instead of embedding sensitive data directly in JavaScript files.
Avoid JSONP:
Do not use JSONP, as it loads script elements and bypasses the Same Origin Policy.
Content Type Consideration:
Choose JSON or HTML content types, as they are subject to the browser's same-origin policy, preventing XSSI attacks.
Reports
Writeups
Last updated