Questions tagged [xssi]

XSSI (Cross Site Script Inclusion) is an attack where JavaScript containing sensitive data from one domain is included into a site from a different domain. Not to be confused with XSS.

7 questions

votes

2 answers

Will same-site cookies be sufficient protection against CSRF and XSS?

I must say, that I like this idea and it seems that it will bring a new form of protection against CSRF and XSS or at least it will reduce those attacks. So, how effective will this protection be? SameSite-cookies is a mechanism for defining how…

asked Apr 30 '16 at 09:37

Mirsad

10,005
8
33
53

votes

1 answer

How does including a magic prefix to a JSON response work to prevent XSSI attacks?

While working on a project that used the REST API for Gerrit Code Review I noticed that they do something that I thought was strange Source: To prevent against Cross Site Script Inclusion (XSSI) attacks, the JSON response body starts with a magic…

api json xssi

asked Jan 13 '16 at 20:57

ecnepsnai

votes

1 answer

Is some kind of CSRF possible using img/script tag to read sensitive information

Let's say i have an API at https://mysite/api/getSensitiveData that: Uses GET Protected with cookie authentication Returns JSON with some sensitive data A bad guy creates a site on his server that has an image tag:

http csrf web xssi

asked Apr 26 '18 at 16:55

Ilya Chernomordik

2,197
1
21
36

votes

1 answer

How can I get dynamic JavaScript from a web page?

I am trying to understand Cross Site Script Inclusion (XSSI) attacks. For this, I have read the recent paper about this kind of attack. Now my main focus is on detecting dynamic javascript files from the targeted web page. What I want to know is,…

javascript xssi

asked Oct 17 '17 at 15:13

Tasnim Fabiha

votes

1 answer

How to get JS content fron XSSI vulnerability?

I'm learning about XSSI attacks and I'm wondering if the following dynamic JS can be used to access the content. Dinamic.js: if (window.location.hostname === 'Demo.site.com' ){ updateLoginHeader('Nick', 'IWANT-THIS-SECRET'); } Can the attacker…

javascript xssi

asked May 29 '17 at 07:48

pancho

votes

0 answers

XSSI, CSRF attackin REST API's POST method

I'm on a course and there is a bank application which I need to attack by getting users visit my site which instantly transfers X amount of money to my balance. Their transaction form posts the recipient, the amount, and the a CSRF token at…

xss csrf xssi

asked Oct 14 '19 at 18:19

Tudvari

votes

3 answers

Why can't bypass SOP using "src" attribut in script tag?

I'm not familiar with Javascript, but I want to know what can't be done in this steps in order to bypass SOP and extract sensitive data : set the tag the browser retrives the content of…

web-application javascript same-origin-policy xssi

asked Mar 29 '18 at 17:18

Reda LM