Detections
Analytics
Cross-Site Script Inclusion (XSSI)
medium Web App Scanning Plugin ID 113016
Language:
Synopsis
Cross-Site Script Inclusion (XSSI)Description
A Cross Site Script Inclusion (XSSI) is the inclusion of a remote page. This vulnerability allows, among other things, to bypass the Same-Origin Policy mechanism of the browser. By forcing a victim to navigate to a malicious site, rather than making a direct request with JavaScript to the desired site which would then be blocked by the SoP, it is possible to include the remote script in the page. With a too lax configuration of the cookies, these will be integrated during the call and if it is an authenticated script containing sensitive information, the attacker will then have access to it.Solution
In general it is not advisable to include sensitive data in files that can be called with Javascript. Enforce cookies with the SameSite flag. Only allow the page to be requested with POST request using an anti-CSRF token.See Also
https://www.mbsd.jp/Whitepaper/xssi.pdf
https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lekies.pdf
Plugin Details
Severity: Medium
ID: 113016
Type: remote
Family: Cross Site Scripting
Published: 10/21/2021
Updated: 11/26/2021
Scan Template: api, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 4.2
CVSS v2
Risk Factor: Medium
Base Score: 5.8
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score Source: Tenable
Reference Information
CWE: 79
OWASP: 2010-A2, 2013-A3, 2017-A7, 2021-A3
WASC: Cross-Site Scripting
CAPEC: 209, 588, 591, 592, 63, 85
DISA STIG: APSC-DV-002490
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-SI-10
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-5.3.3
PCI-DSS: 3.2-6.5.7