Yes, AppCheck includes a vulnerability type for "JavaScript Loaded Cross-Domain":
Description
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and also trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Solution
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfill, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
The risks from trusting third-party JavaScript to execute were seen by British Airways on September 6th 2018, when it announced it had suffered a breach resulting in the theft of customer data for 380,000 customers, including personal and payment information. The "Magecart" code injected scripts into British Airways web-pages that stole sensitive data that consumers enter into online payment forms.
This finding will be reported (if configured in the web application scan config in question) whenever JavaScript code is found to be dynamically included/injected from a third-party domain, regardless of whether that code is known to contain any malicious content at this point in time.
Please note that this finding will NOT be reported if the JavaScript in question has been downloaded by the customer to the customer's own server and is then packaged up with their application code and served from their own domain - it can only be found and reported if the code is served directly from a third-party server or CDN (Content Delivery Network).
Comments
0 comments
Please sign in to leave a comment.