Javascript Unsafe Input Resource Injection

Description

Detects JavaScript DOM manipulation vulnerabilities where untrusted/tainted input is used to create and append new elements with potentially malicious resource URLs. This could enable cross-site scripting (XSS) or loading of malicious external resources.

Weakness:

008 - Reflected cross-site scripting (XSS)

Category: Unexpected Injection

Detection Strategy

• Check for calls to appendChild() method in JavaScript code

• Verify the appended element was created using dangerous DOM manipulation methods (like createElement)

• Confirm the element's source attribute (src, href, etc.) contains untrusted or tainted data

• Report vulnerability when an element with a tainted source is appended to the DOM

Vulnerable code example

// Vulnerable dynamic script loading from URL parameter
function loadExternalScript() {
  const script = document.createElement('script');
  script.src = new URLSearchParams(window.location.search).get('lib'); // Vulnerable: Untrusted input used directly as script source
  document.head.appendChild(script); // Allows loading arbitrary malicious JavaScript
}

✅ Secure code example

function loadExternalScript() {
  // Define allowlist of trusted script sources
  const ALLOWED_SCRIPTS = {
    'jquery': 'https://cdn.jsdelivr.net/npm/jquery@3.6.0/dist/jquery.min.js',
    'bootstrap': 'https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.min.js'
  };

  const params = new URLSearchParams(window.location.search);...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.