XSSI

Jan 1, 0001

Definition

Cross-Site Script Inclusion (XSSI) is a web security vulnerability that occurs when a web application inadvertently exposes sensitive data through JavaScript files. Attackers exploit this by including the JavaScript file in a malicious webpage, allowing them to access the data due to the browser’s same-origin policy not applying to script tags. This can lead to unauthorized data access and potential data leakage.

Secure Settings Example

To mitigate XSSI, ensure that sensitive data is not exposed in JavaScript files. Additionally, use content-type headers to prevent unintended script execution.

Content-Type: application/json
X-Content-Type-Options: nosniff

Insecure Settings Example

An insecure configuration might involve serving sensitive data directly in a JavaScript file without proper content-type headers, making it vulnerable to XSSI.

// Insecure: Exposing sensitive data in a JavaScript file
const sensitiveData = {
  userId: 12345,
  token: "abcde12345"
};

XSSI

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter