Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Cross-site Scripting via Remote File Inclusion - Vulnerability Database

Cross-site Scripting via Remote File Inclusion

Description

This vulnerability occurs when an application retrieves content from a remote URL based on user input and includes it in the response without proper validation or sanitization. This creates a Cross-Site Scripting (XSS) vulnerability because attackers can supply URLs pointing to malicious resources containing JavaScript or other executable code, which is then injected into the application's response and executed in victims' browsers.

Unlike traditional XSS where malicious code is directly injected, this variant leverages the Remote File Inclusion mechanism to deliver the attack payload, making it particularly dangerous as the malicious content is hosted externally and can be updated by the attacker at any time.

Remediation

Implement the following security controls to prevent this vulnerability:

1. Validate and Whitelist URLs:
Only allow retrieval of content from explicitly approved domains and URLs. Implement a strict whitelist of permitted sources.

// Example: URL validation with whitelist
const allowedDomains = ['trusted-domain.com', 'cdn.example.com'];
const url = new URL(userInput);
if (!allowedDomains.includes(url.hostname)) {
  throw new Error('URL not allowed');
}

2. Sanitize Retrieved Content:
Apply context-appropriate output encoding to all content retrieved from remote sources before including it in responses. Use HTML entity encoding for HTML contexts, JavaScript encoding for JavaScript contexts, etc.
// Example: HTML encoding in various languages
// PHP
$safeContent = htmlspecialchars($remoteContent, ENT_QUOTES, 'UTF-8');

// JavaScript/Node.js
const safeContent = remoteContent
  .replace(/&/g, '&')
  .replace(//g, '>')
  .replace(/"/g, '"')
  .replace(/'/g, ''');

// Java
String safeContent = StringEscapeUtils.escapeHtml4(remoteContent);

3. Implement Content Security Policy (CSP):
Deploy a strict CSP header to prevent execution of inline scripts and restrict script sources to trusted domains.
Content-Security-Policy: default-src 'self'; script-src 'self' trusted-cdn.com; object-src 'none'

4. Disable Remote File Inclusion:
If the functionality to include remote files is not essential, disable it entirely. In PHP, ensure allow_url_include is set to Off in php.ini.

5. Use Security Libraries:
Leverage well-tested security libraries and frameworks that provide built-in XSS protection, such as OWASP Java Encoder, DOMPurify for JavaScript, or framework-specific sanitization functions.

References

Cross Site Scripting Attack
The Cross Site Scripting Faq
XSS Filter Evasion Cheat Sheet
Cross site scripting
OWASP PHP Top 5
How To: Prevent Cross-Site Scripting in ASP.NET

Related Vulnerabilities

Edge Side Include injection High
Common tags: XSS OOB Vulnerabilities
Adobe Coldfusion 8 multiple linked XSS vulnerabilies High
Common tags: XSS
WordPress Plugin JobSearch WP Job Board Cross-Site Scripting (1.5.4) High
Common tags: XSS
WordPress Plugin Paytium:Mollie payment forms & donations Cross-Site Scripting (3.1.1) High
Common tags: XSS
WordPress Plugin SportsPress-Sports Club & League Manager Cross-Site Scripting (2.7.1) High
Common tags: XSS

Severity

High

Classification

CWE-79
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:L/SA:N

Tags

XSS
OOB Vulnerabilities