Client Side Vulnerabilities / Cross Site Script Inclusion

Description

Cross-Site Script Inclusion (CWE-832) is a type of Client Side Vulnerability which refers to the ability of an attacker to execute malicious scripts in a web application or API by exploiting the application's code or configurations. This type of attack is based on the fact that the scripts of a malicious origin can be included in a legitimate web page or API. This vulnerability can be found in web and API applications and is a part of the OWASP Top 10. According to the OWASP Testing Guide, Cross-Site Script Inclusion can be tested during a web application security assessment by submitting input that contains malicious scripts to the application and observing the application's response.

Risk

Cross-Site Script Inclusion presents a significant risk to web and API applications because it can allow attackers to gain access to data, execute malicious code on the client side, and hijack user sessions and accounts. This type of attack is especially dangerous because it can lead to data breaches, financial losses, and reputational damage.

Solution

The best way to prevent Cross-Site Script Inclusion attacks is to ensure that all input to the web application is validated and sanitized to prevent malicious scripts from being included in the application. Additionally, it is important to ensure that all scripts used in the application are from a trusted source and are properly configured.

Example

The following code example is an example of a Cross-Site Script Inclusion vulnerability (CVE-2017-7235) found in a web application.

<script>
  var x = '<?php echo $_GET['x']; ?>';
  document.write(x);
</script>

In this example, the application is vulnerable to Cross-Site Script Inclusion because it is not validating or sanitizing the user input before it is included in the code. As a result, an attacker could submit malicious scripts as a parameter to the application, which would then be executed in the browser.