XSSI (Cross-Site Script Inclusion)
Last updated
Was this helpful?
Last updated
Was this helpful?
XSSI designates a kind of vulnerability which exploits the fact that, when a resource is included using the script tag, the SOP doesn’t apply, because scripts have to be able to be included cross-domain. An attacker can thus read everything that was included using the script tag.
This is especially interesting when it comes to dynamic JavaScript or JSONP when so-called ambient-authority information like cookies are used for authentication. The cookies are included when requesting a resource from a different host.
Static JavaScript (regular XSSI)
Static JavaScript, which is only accessible when authenticated
Dynamic JavaScript
Non-JavaScript
The private information is located inside a global accessible JS file, you can just detect this by reading files, searching keywords or using regexps. To exploit this, just include the script with private information inside the malicious content:
If the information resides inside a global variable, you you can exploit it using the same code as for the the previous case. If the confidential data is sent inside a JSONP response, you can override the executed function to retrieve the information:
Or you could also set a prepared function to be executed by the JSONP response:
In the original code slice from type Array accesses the data we’re interested in. An attacker can, as described in the preceding clause, override slice and steal the secrets.
JSON with UTF-7:
Including the JSON in the attacker’s page
Confidential information is added to the script when a user requests it. This can be easily discovered by sending the request with and without the cookies, if different information is retrieved, then confidential information could be contained. To do this automatically you can use burp extension: .
If a variable does not reside inside the global namespace, sometimes this can be exploited anyway using prototype tampering. Prototype tampering abuses the design of JavaScript, namely that when interpreting code, JavaScript traverses the prototype chain to find the called property. The following example is extracted from the paper and demonstrates how overriding a relevant function of type Array and access to this, a non-global variable can be leaked as well.
Security Researcher just recently updated his list of .
Takeshi Terada describes another kind of XSSI in his paper . He was able to leak Non-Script files cross-origin by including, among others, CSV files as source in the script tag, using the data as variable and function names.
The first publicly documented XSSI attack was in 2006. Jeremiah Grossman’s blog entry depicts a XSSI, which by overriding the Array constructor was able to read the complete address book of a google account.
In 2007 Joe Walker published . He uses the same idea to steal JSON that is inside an Array.
Other related attacks were conducted by injecting UTF-7 encoded content into the JSON to escape the JSON format. It is described by Gareth Heyes, author of , in the blog entry released in 2011. In a quick test, this was still possible in Microsoft Internet Explorer and Edge, but not in Mozilla Firefox or Google Chrome.