Your Scripts In My Page - What Could Possibly Go Wrong?

Explore the critical security vulnerabilities arising from cross-domain script inclusion in web applications. Delve into an often-overlooked attack vector that affects a significant number of websites, potentially exposing sensitive user information. Learn how attackers can exploit HTML's disregard for the Same-origin Policy to include dynamic scripts from vulnerable sites, gaining unauthorized access to personal data, CSRF tokens, and even full account compromises. Examine the findings of a comprehensive study on 150 top-ranked domains, revealing that a third utilize dynamic JavaScript, with over 80% susceptible to data leakage through remote script inclusion. Discover various attack techniques, defensive measures, and an efficient detection mechanism in the form of a browser extension. Gain insights into protecting web applications from these vulnerabilities through proper implementation of Content Security Policies and secure handling of dynamic scripts.

Introduction
Agenda
SameOrigin Policy
JavaScript
Gmail
Detection System
Registration
Results
Attacker Model
Methods
Exploit Results
Demo
Website
More Examples
Cross Site Script
File Hosting Script
How To Prevent These Vulnerabilities
Dynamic Scripts
Content Security Policy
Conclusion
Questions