- The remotely included code can be buggy and you are thus introducing vulnerabilities to your own site, when you choose to include it
- The remote host can be malicious and use its scripts to attack your users and exfiltrate data from your site
- The remote host can be targeted by an attacker, as a way of reaching a harder to get target (e.g. your page)
- Even though most sites of the Alexa top 10,000 include code from up to 15 remote hosts, there are sites that include code from up to 295 remote hosts. Assuming that only one of these hosts is enough to fully compromise your script-including site, trusting almost 300 of those is, at the very least, worrisome
- As far as remote inclusions as concerned, Google is king, owning 5 out of the top 10 most included scripts found in our study
- Script inclusions from private-network IP addresses: Same as above, but now the site tries to include code from hosts such as “192.168.1.1”. This means that the attacker now just needs to be in the same local network (Cross-network Scripting).
Check out our full paper for all the juicy details 🙂
Till next time
I’m a bit late to the party … but excellent research.
Thanks Kent 🙂