Cross-Site Script Inclusion - A Fameless but Widespread Web Vulnerability Class

Veit Hailperin

doi:10.5281/zenodo.3521661

Published April 14, 2016 | Version v1

Journal article Open

Cross-Site Script Inclusion - A Fameless but Widespread Web Vulnerability Class

Veit Hailperin¹

1. scip AG

Contributors

Editor:

Marc Ruef¹

1. scip AG

Two key components account for finding vulnerabilities of a certain class: awareness of the vulnerability and ease of finding the vulnerability. Cross-Site Script Inclusion (XSSI) vulnerabilities are not mentioned in the de facto standard for public attention – the OWASP Top 10 [1]. Additionally there is no publicly available tool to facilitate finding XSSI. The impact reaches from leaking personal information stored, circumvention of token-based protection to complete compromise of accounts. XSSI vulnerabilities are fairly wide spread and the lack of detection increases the risk of each XSSI. In this paper I am going to demonstrate how to find XSSI, exploit XSSI and also how to protect against XSSI exploitation.

Notes

This paper was written in 2016 as part of a research project at scip AG, Switzerland. It was initially published online at https://www.scip.ch/en/?labs.20160414 and is available in English and German. Providing our clients with innovative research for the information technology of the future is an essential part of our company culture.

Files