What is Cross Site Script Inclusion (XSSI)?

xss security
Pankrat picture Pankrat · Nov 6, 2011 · Viewed 24.7k times · Source

I've recently seen XSSI mentioned on multiple pages, e.g. Web Application Exploits and Defenses:

Browsers prevent pages of one domain from reading pages in other domains. But they do not prevent pages of a domain from referencing resources in other domains. In particular, they allow images to be rendered from other domains and scripts to be executed from other domains. An included script doesn't have its own security context. It runs in the security context of the page that included it. For example, if www.evil.example.com includes a script hosted on www.google.com then that script runs in the evil context not in the google context. So any user data in that script will "leak."

I fail to see what kind of security problems this creates in practice. I understand XSS and XSRF but XSSI is a little mysterious to me.

Can anybody sketch an exploit based on XSSI?

Thanks

Answer

Erlend picture Erlend · Nov 7, 2011

This is typically a problem if you are using JSONP to transfer data. Consider a website consisting of a domain A that loads data from domain B. The user has to be authenticated to site A and B, and because the Same Origin Policy prevents older browsers from communicating directly with a different domain (B) than the current page (A), the developers decided to use JSONP. So site A includes a script pointing to http://B/userdata.js which is something like:

displayMySecretData({"secret":"this is very secret", ...})

So A defines a function called displayMySecretData, and when the included script from server B runs, it calls that function and displays the secret data to the user.

Now evil server E comes along. It sees that A is including data from B using JSONP. So server E includes the same script, but defines its own displayMySecretData which instead steals the data. The attacker then tricks the user into visiting his site. When the user goes there and he is logged in to B, the browser automatically sends the authentication cookies for B along with the request to fetch the script from B. B sees an authenticated user, and thus returns the script as expected. E gets the data, and presto...

Using JSONP to load confidential data from a different domain this way is thus really insecure, but people are still using it. Bad idea!

Related questions

How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More
How do you configure HttpOnly cookies in tomcat / java webapps?

After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application. How do you tell tomcat to use http only cookies for sessions?

Read More
XSS prevention in JSP/Servlet web application

How can I prevent XSS attacks in a JSP/Servlet web application?

Read More