External Object Injection

  • CWE 601
  • WASC 38
  • PCI 3.2-6.5.1
  • OWASP 2017-A1

It is possible for an attacker to control src attribute of an object tag and load data from external resources.

Remediation

With a properly defined CSP policy, the browser would not load the resource.

References