Cross-Domain JavaScript Source File Inclusion

[Tsuyoshi Miyasaka]

Hello,

"Cross-Domain JavaScript Source File Inclusion" detected.
If Parameter and Evidence are displayed as follows, is “//script.crazyegg.com/pages/scripts/0012/6546.js” the file detected as a third-party domain script file?

Parameter ... //script.crazyegg.com/pages/scripts/0012/6546.js
Evidence ... <script type=“text/javascript” src=“//script.crazyegg.com/pages/scripts/0012/6546.js” async=“async”></script

Also, what are the conditions under which OWASP ZAP determines that a script file is from a third-party domain?

Tsuyoshi

[kingthorin+zap]

At a very high level it compares the domain of current HTTP Message to the domain of the included script.

If you want to look at the details the source code is linked from the Alert page: https://www.zaproxy.org/docs/alerts/10017/

[Tsuyoshi Miyasaka]

Thank you for your response.
Is my perception below correct?

"Cross-Domain JavaScript Source File Inclusion" detected.
If Parameter and Evidence are displayed as follows, is “//script.crazyegg.com/pages/scripts/0012/6546.js” the file detected as a third-party domain script file?

Parameter ... //script.crazyegg.com/pages/scripts/0012/6546.js
Evidence ... <script type=“text/javascript” src=“//script.crazyegg.com/pages/scripts/0012/6546.js” async=“async”></script

2024年6月4日火曜日 19:45:53 UTC+9 kingthorin+zap:

[Simon Bennetts]

By default ZAP will report any script that is not on the same domain as the target app as being from a third-party domain.

See the help: https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/#id-10017 for ways to change this behavior.

Cheers,

Simon

[Tsuyoshi Miyasaka]

Thank you,  kingthorin+zap for help
Thank you, Simon for help

2024年6月11日火曜日 18:53:13 UTC+9 psi...@gmail.com: