User controllable script source
Description
This vulnerability occurs when user-supplied input directly controls the src attribute of a <script> tag without proper validation or sanitization. This allows an attacker to specify an arbitrary URL pointing to a malicious JavaScript file, which will be loaded and executed in the context of the application. Unlike reflected XSS where malicious code is injected inline, this vulnerability enables attackers to load entire external scripts from domains they control.
Remediation
Implement the following security controls to prevent user input from controlling script sources:
1. Eliminate dynamic script sources: Avoid allowing user input to determine script source URLs entirely. Use static, hardcoded script references whenever possible.
2. Implement strict allowlisting: If dynamic script loading is required, maintain a server-side allowlist of approved script URLs or identifiers. Validate user input against this list before generating script tags.
// Example: Server-side allowlist validation (Node.js)
const ALLOWED_SCRIPTS = {
'analytics': 'https://cdn.example.com/analytics.js',
'charts': 'https://cdn.example.com/charts.js'
};
const scriptId = req.query.script;
if (!ALLOWED_SCRIPTS.hasOwnProperty(scriptId)) {
return res.status(400).send('Invalid script identifier');
}
const scriptSrc = ALLOWED_SCRIPTS[scriptId];
3. Use Content Security Policy (CSP): Deploy a strict CSP header that limits script sources to trusted domains only.
Content-Security-Policy: script-src 'self' https://trusted-cdn.example.com;
4. Implement Subresource Integrity (SRI): When loading external scripts, use SRI hashes to ensure the script content hasn't been tampered with.
<script src="https://cdn.example.com/library.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ux..."
crossorigin="anonymous"></script>5. Never trust user input: Treat all user-supplied data as untrusted. Never directly concatenate user input into HTML attributes or JavaScript code without proper validation and encoding.