Noob Question: Cross-Domain Javascript Source File Inclusion
3,238 views
Skip to first unread message
Sean McVeigh
Jun 10, 2015, 12:38:13 PM6/10/15
to zaprox...@googlegroups.com
Hi all, happy Hump Day!
ZAP alerted me that we had a Cross-Domain Javascript Source File Inclusion issue and I just wanted to get clarification on what Zap considers a "domain".
In my case, the scanned page is space1.mysite.com and the url that is highlighted as the issue was from space2.mysite.com. Both have the same root domain which are ours.
Since I own both domains, this should not be an option as far as I can tell, but I am wondering if it flagged it for some other reason.
Thanks for your time.
S
kingthorin+owaspzap
Jun 10, 2015, 1:19:15 PM6/10/15
to zaprox...@googlegroups.com
It's a simple check and I don't think you're missing anything.
If ZAP is looking at space1.mysite.com/blef.html which loads space2.mysite.com/some.js then it'll complain. ZAP has no way of know if both are owned by you.
Perhaps this could be expanded upon to include consideration for contexts, so that if your context (assuming you have one defined) included both space1.mysite.com and space2.mysite.com then it wouldn't alert. However, simply looking at the domain names isn't sufficient because then you encounter the issue of z.y.x.co.uk, etc (i.e.: how/when do you decide that the base domain is related/controlled.)
If you trust that the included JS is within the control of your organization (perhaps team/devs depending how trusting you are or aren't) then you can manually set them as False Positives (or disable that passive rule).
If ZAP is looking at space1.mysite.com/blef.html which loads space2.mysite.com/some.js then it'll complain. ZAP has no way of know if both are owned by you.
Perhaps this could be expanded upon to include consideration for contexts, so that if your context (assuming you have one defined) included both space1.mysite.com and space2.mysite.com then it wouldn't alert. However, simply looking at the domain names isn't sufficient because then you encounter the issue of z.y.x.co.uk, etc (i.e.: how/when do you decide that the base domain is related/controlled.)
If you trust that the included JS is within the control of your organization (perhaps team/devs depending how trusting you are or aren't) then you can manually set them as False Positives (or disable that passive rule).
Simon Bennetts
Jun 10, 2015, 1:26:35 PM6/10/15
to zaprox...@googlegroups.com, kingt...@gmail.com
+1 for not reporting domains that are in the same context - I think thats a good way to implement it.
Sean McVeigh
Jun 10, 2015, 1:41:49 PM6/10/15
to zaprox...@googlegroups.com
Awesome. This is what I thought, just wanted to make sure. Thanks again.
Zeedan Khan
Mar 9, 2018, 12:46:00 AM3/9/18
to OWASP ZAP User Group
I wan't to know about the
Cross-Domain JavaScript Source File Inclusion
kingthorin+owaspzap
Mar 9, 2018, 4:28:54 AM3/9/18
to OWASP ZAP User Group
Well you can start by reading this thread. If that doesn't answer your question you can check: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules#cross-domain-script-inclusion
Lastly you can be more specific and we'll try to answer your detailed question.
Reply all
Reply to author
Forward
0 new messages