Client Side Injection
Client-Side Injection
Overview of the Vulnerability
Client-side injection is a vulnerability that results from untrusted client-side data being interpreted and executed by the system without any checks. Within the application an attacker is able to inject data in the form of Javascript, or a binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust.
Steps to Reproduce
Use a browser to navigate to: {{URL}}
Notice that {{value}} is loaded by the application when doing {{action}}
Perform {{action}} to see the injected code executed by the system
Proof of Concept (PoC)
The screenshot(s) below demonstrates the client-side injection:
{{screenshot}}
Recommendation(s)
There is no single technique to protect from client-side injection. However, the following best practices should be adhered to:
All client-side input data should be validated based on the content it is reasonable to contain for users
When loading libraries or launching executable files, ensure that absolute paths are used. Do not use relative paths
Last updated