Cross-Site Script Inclusion (XSSI)

medium Web App Scanning Plugin ID 113016

Synopsis

Cross-Site Script Inclusion (XSSI)

Description

A Cross Site Script Inclusion (XSSI) is the inclusion of a remote page. This vulnerability allows, among other things, to bypass the Same-Origin Policy mechanism of the browser. By forcing a victim to navigate to a malicious site, rather than making a direct request with JavaScript to the desired site which would then be blocked by the SoP, it is possible to include the remote script in the page. With a too lax configuration of the cookies, these will be integrated during the call and if it is an authenticated script containing sensitive information, the attacker will then have access to it.

Solution

In general it is not advisable to include sensitive data in files that can be called with Javascript. Enforce cookies with the SameSite flag. Only allow the page to be requested with POST request using an anti-CSRF token.

See Also

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/13-Testing_for_Cross_Site_Script_Inclusion

https://www.mbsd.jp/Whitepaper/xssi.pdf

https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lekies.pdf

Plugin Details

Severity: Medium

ID: 113016

Type: remote

Published: 10/21/2021

Updated: 11/26/2021

Scan Template: api, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CVSS Score Source: Tenable

Reference Information