Cross Domain JavaScript Source File Inclusion

507 views

Skip to first unread message

berry

unread,

Dec 15, 2021, 9:20:29 PM12/15/21

to OWASP ZAP User Group

Zap shows I have Cross-Domain JavaScript Source File Inclusion vuln.I am not sure how to exploit it?

Or how can I determine these files are internal files but disclosed.

Simon Bennetts

unread,

Dec 16, 2021, 4:37:11 AM12/16/21

to OWASP ZAP User Group

ZAP is a tool designed to make the web more secure, so we deliberately dont try to exploit potential vulnerabilities ;)

In this case ZAP is warning you that the script is hosted on what looks like a 3rd party service.

To exploit it you would need to compromise the third party, which you shouldnt try to do as part of a pentest unless you have the permission of that 3rd party :)

It is possible that JS fles are included from domains which no longer exist.

In that case you could register that domain and then create the JS file that is being included - if you can do that and if they dont protect it using CSP script-src then you can do all sorts of bad things!

Cheers,

Simon

Reply all

Reply to author

Forward

0 new messages