Applications often use resources or have dependencies that are hosted on other servers. These resources should be hosted on domains controlled by the organization in order to prevent several types of injection attacks.
CAPEC-19: Embedding Scripts within Scripts. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The adversary leverages this capability to execute their own script by embedding it within other scripts that the target software is likely to execute. The adversary must have the ability to inject their script into a script that is likely to be executed.
CAPEC-154: Resource Location Spoofing. An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.
CAPEC-175: Code Inclusion. An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed.
CAPEC-242: Code Injection. An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing.
CWE-829: Inclusion of Functionality from Untrusted Control Sphere. The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
CWE-830: Inclusion of Web Functionality from an Untrusted Source. The software includes web functionality (such as a web widget) from another domain, potentially granting total access and control of the software to the untrusted source.
OWASP Top 10 A1:2017-Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
OWASP Top 10 A6:2017-Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
OWASP-ASVS v4.0.1 V10.3 Deployed Application Integrity Controls.(10.3.2) The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet.
OWASP-ASVS v4.0.1 V10.3 Deployed Application Integrity Controls.(10.3.3) Verify that the application has protection from sub-domain takeovers if the application relies upon DNS entries or DNS sub-domains.
PCI DSS v3.2.1 - Requirement 6.5.1 Address common coding vulnerabilities in software-development processes such as injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
PCI DSS v3.2.1 - Requirement 6.5.7 Address common coding vulnerabilities in software-development processes such as cross-site scripting (XSS).