Here is how my front-end application loads its required JS files:
A page (on HTTPS) will send a POST request describing what JS files should be loaded from various servers. The payload will look roughly like this:
{
"1": "https://somehost.com/path/first.js",
"2": "https://someotherhost.com/path/second.js"
}
The server will collect all these JS files, concatenate them and send back to the client. Client will place the received contents within a dynamically created <script>
tag.
We ran IBM Appscan on this and to my surprise, Appscan reported Remote File Inclusion vulnerability and the tool was able to add a 3rd parameter to the JSON, essentially modifying the payload. So it looked something like this:
{
"1": "https://somehost.com/path/first.js",
"2": "https://someotherhost.com/path/second.js"
"3": "https://appscan-host/malicious-test.js"
}
My questions are:
- Is this really a plausible scenario? That an attacker can modify the POST payload sent by the victim's browser to include a remote malicious script? I just can't wrap my head around this - I'm sure I am missing something here.
- Given that we have an architecture that sends JS file URLs dynamically in a JSON payload for server to load and send back to the client, what possible solutions do I have to fix the vulnerability?
- I read about using an HMAC to sign the requests, but if the attacker figures out the algorithm used for generating the HMAC on the client side, he can just recompute the HMAC and replace the HMAC sent by the client, after tampering the post payload, right?
Also, if this helps in anyway, we use cookie based authentication (Tomcat server, sets JSESSIONID HttpOnly cookie after form based authentication for subsequent requests).