5

One of my web application underwent a vulnerability assessment recently, and one of the findings is about cross domain include script. Our web app uses addthis_widget.js from AddThis to bookmark Facebook/Twitter etc. It was recommended that we copy the contents of the script onto our own domain and include it from there, or re-implement the script's functionality within our own code.

Is this a really an exploitable issue?

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
dorothy
  • 715
  • 1
  • 7
  • 18
  • 3
    This is an easy finding that is commonly reported by Burp Scanner. If a pentester is reporting this issue, then they have weak findings and are scrambling to get a report together. – rook Feb 16 '15 at 15:12
  • Hi Rook, why is it a weak finding? thanks – dorothy Feb 16 '15 at 15:30
  • AddThis should support CORS and a ideally provide local library you can copy and run on your server. – jcalfee314 Oct 02 '15 at 19:27

3 Answers3

5

If code is served by a large Content Delivery Network (CDN), like Google's CDN, then it is more than likely that you will be hacked through other means. Large CDNs have a lot of money to spend on security, and a CDN is unlikely to be a weak point in your own infrastructure.

Once a site hits a certain level of popularity, then it needs to serve static content from a CDN. Consider the following post:

Why should I use Google's CDN for jQuery?

The good from a CDN outweighs the extremely unlikely possibility of compromising a well-maintained server that is distributing static content. That being said, I've found a major flaw in an Akamai product...

Community
  • 1
rook
  • 46,916
  • 10
  • 92
  • 181
  • 2
    I agree 100% with you and would trust AddThis, but, there might be some certifications that requires the app to not do this kind of stuff. So I would still recommend that OP talks directly with the security consultant and see what reasons they have for pointing this out. – Jhuliano Moreno Feb 16 '15 at 17:50
  • Of course if the only answer of the consultant is just "AddThis will add h4x0r codez to da scriptz, bruh", I would totally dismiss his opinion. Just try to get a sense if that ended up in the report just because the vuln. scanner pointed it or because they have a real reason behind it. – Jhuliano Moreno Feb 16 '15 at 18:02
  • I like to assume the vulnerability assessment was done for a reason and it should be the focus of `security.stackexchange.com` to improve security not degrade it. If AddThis gets hacked then your site gets hacked. The popularity of AddThis may lead to better security but would also increase the value of hacking the site. If you have no security concerns then by all means CDN is great (as-is). – jcalfee314 Oct 02 '15 at 19:23
  • @jcalfee314 unfortunately some assessments are conducted analysts who are blindly reporting BURP scanner findings XD. Context is important, and CDNs are fundamental requirement for scalable webapps. CDNs aren't perfect, and i recently hacked a major Akamai product... – rook Oct 03 '15 at 02:27
3

Yes, it is a security issue.

The included JavaScript runs in the context of your website, which means that it has control over anything that you would have control over.

External JavaScript files can harm you by among other:

  • read cookies (eg to steal sessions)
  • read user input (eg to read password inputs)
  • change what the user sees (eg to display ads, phishing, defacing)
  • execute forms as the user (eg to change the users information, to send out spam to other users)
  • perform requests to other servers (eg to send the obtained information to the attackers server, to perform DOS/bruteforce attacks on other servers, etc)

So you should only include external JavaScript files if:

  • you trust the domain / company from which you include not to harm you
  • you trust them to keep their server secure
  • you use HTTPS for the include to avoid man in the middle attacks

There are of course also upsides to including JavaScript from an external server:

  • the load on your server will be reduces
  • the user might already have that file cached, so the website will load faster for your users.
tim
  • 29,018
  • 7
  • 95
  • 119
  • This is a security issue, and for any reasonably complex app there should be no less than 1,000 vulnerabilities that are more important than this one. – rook Feb 16 '15 at 15:26
  • 2
    it depends. if the script is included from google.com, its close to no issue (google will not do anything bad, and their servers are most definitely secure enough). if its included from my-super-awesome-website.com, then it might not be the best idea to include it. – tim Feb 16 '15 at 15:36
  • 1
    addthis is a pretty popular "copy/paste social share widget", it's not Google but they have been in the market for a long period and I haven't heard they had any security issue so far. – Jhuliano Moreno Feb 16 '15 at 17:39
  • You should only include JavaScript from another domain if you don't have any security concerns (trust is not a security measure IMO). – jcalfee314 Oct 02 '15 at 19:26
1

The main issue with including scripts from other sites is that they (or even someone that gets to hack their server) might modify the script to include malicious code.

Right now you have 2 options that have pretty big "downsides":

  1. Reimplementing addthis script would be pretty time consuming, so, I don't think you want to go that way. Also you would have to maintain the script.
  2. And if you make a copy to your server you need to know that AddThis team updates that script and you would have to be checking if you have an old version to then update it (which you would have to do it manually since you don't know if something bad got inserted into it).

Honestly I would stick to including AddThis script (from their server), but, you have a security consultant working for you... Talk with him about the 3 options and the downsides you see about every option (reimplement, cross domain, copy to your server).

Jhuliano Moreno
  • 113
  • 10