Cross-Site Script Inclusion

Cross-Site Script Inclusion (XSSI) is an attack, that use exceptions Same-origin policy to obtain confidential data from a code of another origin.

Example

  1. Web site site.com transfers confidential data (CSRF tokens, a link to password recovery) for the current user (on the basis of Cookie) in the contents of the Javascript file config.js or using JSONP
    var csrfToken = 'ca969a1bc97732d97b1e88ce8396c216';
    ...
    
  2. File with confidential data is connected on web site through the tag <script>
    <script src="//site.com/config.js></script>

Sorry, but this is part of
Web-security course

Web-security course

  • Actual web attacks with examples
  • A wrong ways of preventing attacks
  • Security methods guaranties elimination of attacks
  • Quizzes for the material fixation

  How to prevent Cross-Site Script Inclusion →