Typescript Unsafe Input Resource Injection
Description
Detects unsafe DOM manipulation where untrusted input is used to inject resource elements (like scripts or iframes) into a webpage using appendChild. This could allow attackers to execute malicious JavaScript or load unauthorized external resources.
Detection Strategy
• Identifies calls to the appendChild method in TypeScript/JavaScript code
• Confirms the appended element is a resource element (like script, iframe) created in an unsafe way
• Checks if the element's src attribute contains unvalidated user input or tainted data
• Reports a vulnerability when all conditions are met - indicating potential resource injection
Vulnerable code example
// Vulnerable example of script injection via untrusted query parameter
function loadExternalScript() {
const params = new URLSearchParams(window.location.search);
const scriptUrl = params.get("src"); // Unsafe: script source from URL parameter
const script = document.createElement("script");
script.src = scriptUrl; // Vulnerable: untrusted input used directly as script source
document.head.appendChild(script);...✅ Secure code example
function loadExternalScript() {
// Define allowlist of trusted script sources
const allowedScriptSources = [
'https://cdn.example.com/app.js',
'https://cdn.example.com/lib.js',
'https://trusted-cdn.com/script.js'
];
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.