DEV Community

Cover image for Symfony XSSI Attack: Fixes + Free Security Check
Pentest Testing Corp
Pentest Testing Corp

Posted on

Symfony XSSI Attack: Fixes + Free Security Check

#cybersecurity #vulnerabilities #symfony #webdev

Cross-Site Script Inclusion (XSSI) is a sneaky data-leak where an attacker <script>-loads your API and reads secrets if your endpoint returns executable JavaScript or unsafe JSON. Below is a concise, Symfony-focused guide with copy-paste fixes—perfect for dev readers and teams.

Symfony XSSI Attack: Fixes + Free Security Check

👉 Try our free website security scanner to spot XSSI and other issues.
Also see our blog: Pentest Testing Corp.

How XSSI happens (Symfony example)

Vulnerable: returning executable JS (not JSON). If an attacker includes it, your data becomes a global variable on their page.

// src/Controller/ProfileController.php #[Route('/api/profile.js', name: 'api_profile_js', methods: ['GET'])] public function profileAsJs(): Response { $data = ['email' => 'alice@example.com', 'role' => 'admin']; // ❌ Executable JavaScript — XSSI-prone $body = 'window.__profile = ' . json_encode($data) . ';'; return new Response($body, 200, ['Content-Type' => 'application/javascript']); }
Enter fullscreen mode Exit fullscreen mode

Attacker page:

<script src="https://victim.example.com/api/profile.js"></script> <script> // now readable cross-site — data leaked console.log(window.__profile); </script>
Enter fullscreen mode Exit fullscreen mode

📸 Screenshot of the Website Vulnerability Scanner tool homepage:

Screenshot of the free tools webpage where you can access security assessment tools.Screenshot of the free tools webpage where you can access security assessment tools.

Safer pattern #1: Strict JSON + anti-XSSI prefix

Return pure JSON (not JS) and add a harmless prefix that breaks execution if included via <script>.

// src/Controller/ProfileController.php use Symfony\Component\HttpFoundation\Response; #[Route('/api/profile', name: 'api_profile', methods: ['GET'])] public function profile(): Response { $data = ['email' => 'alice@example.com', 'role' => 'admin']; $prefix = ")]}',\n"; // breaks script execution; clients strip it before JSON.parse $json = $prefix . json_encode($data, JSON_UNESCAPED_SLASHES); return new Response($json, 200, [ 'Content-Type' => 'application/json; charset=utf-8', 'X-Content-Type-Options' => 'nosniff', 'Cross-Origin-Resource-Policy' => 'same-site', ]); }
Enter fullscreen mode Exit fullscreen mode

Client parsing tip:

// strip prefix before JSON.parse fetch('/api/profile').then(r => r.text()).then(t => { const clean = t.replace(/^\)\]\}',\n?/, ''); return JSON.parse(clean); });
Enter fullscreen mode Exit fullscreen mode

Safer pattern #2: Block cross-origin inclusion at the edge

Add security headers globally via an event subscriber.

// src/EventSubscriber/SecurityHeadersSubscriber.php use Symfony\Component\EventDispatcher\EventSubscriberInterface; use Symfony\Component\HttpKernel\Event\ResponseEvent; final class SecurityHeadersSubscriber implements EventSubscriberInterface { public static function getSubscribedEvents(): array { return ['kernel.response' => 'onKernelResponse']; } public function onKernelResponse(ResponseEvent $event): void { $r = $event->getResponse(); $r->headers->set('X-Content-Type-Options', 'nosniff'); $r->headers->set('Cross-Origin-Resource-Policy', 'same-site'); // Optional: CORP/CORB hardening $r->headers->set('Content-Type', $r->headers->get('Content-Type') ?: 'application/json; charset=utf-8'); } }
Enter fullscreen mode Exit fullscreen mode

Safer pattern #3: Avoid GET for sensitive data + CSRF

Return sensitive data via POST and require a CSRF token.

# config/routes.yaml api_secure_profile: path: /api/secure/profile controller: App\Controller\SecureController::profile methods: [POST]
Enter fullscreen mode Exit fullscreen mode 
// src/Controller/SecureController.php use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface; public function __construct(private CsrfTokenManagerInterface $csrf) {} public function profile(Request $req): JsonResponse { $token = $req->request->get('_token'); if (!$this->csrf->isTokenValid(new CsrfToken('api_profile', $token))) { return $this->json(['error' => 'invalid_csrf'], 403); } return $this->json(['ok' => true]); }
Enter fullscreen mode Exit fullscreen mode

📸 Sample assessment report from our tool to check Website Vulnerability:

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Bonus hardening checklist

  • Disable JSONP and never return executable JS from APIs.
  • Cookies: use SameSite=Lax or Strict, HttpOnly, Secure.
  • CORS: only allow trusted origins; avoid Access-Control-Allow-Origin: * with credentials.
  • CSP on your pages: script-src 'self' (reduces risky third-party scripts).
  • Audit endpoints with our free tool for a website security test.

Services from Pentest Testing Corp.

Newsletter: Subscribe on LinkedIn

Read more on our blog → https://www.pentesttesting.com/blog/.

Top comments (0)