CWE-829: Inclusion of Functionality from Untrusted Source

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application loads resources (scripts, stylesheets, libraries) from untrusted or user-controlled sources. Evidence includes successful injection of external JavaScript via parameters controlling <script src> attributes, acceptance of arbitrary CDN URLs, or dynamic loading of code from attacker-controlled domains. Responses show external resource inclusion based on user input.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-829 typically indicate that external functionality was loaded or executed at runtime without sufficient trust guarantees, such as:

• Scripts or libraries loaded from external domains
• Dependencies fetched without integrity verification
• Runtime inclusion of remote code
• Use of third-party resources without provenance controls

Evidence is based on observed runtime inclusion behavior, not on request parameters or payload syntax.

Mapping DAST Findings to Source Code

CWE-829 does not map to a single endpoint or parameter. The issue resides in how the application sources, verifies, and executes external functionality.

When tracing this issue in code and build configuration, review:

• How external scripts or libraries are selected
• Dependency management and update mechanisms
• Integrity verification (hashes, signatures)
• Runtime loading of remote code
• Centralized vs ad hoc inclusion of third-party functionality

Remediation

Core Principle: Never execute or load functionality from sources whose integrity and provenance are not explicitly verified; all executable code must originate from a trusted, controlled source.

→ For comprehensive remediation guidance, see Static CWE-829 Guidance

Verification and Follow-Up Testing

After applying the fix:

1. Verify Source Trust

• Confirm all executable code originates from approved sources
• Ensure integrity verification is enforced for third-party functionality

2. Test Edge Cases

• Dependency updates and rollbacks
• Runtime loading paths
• Fallback or legacy inclusion mechanisms

Re-run DAST Scanner

Re-run the dynamic scanner to confirm untrusted functionality inclusion is no longer observed.

Additional Resources

• CWE-829: Inclusion of Functionality from Untrusted Source
• OWASP Content Security Policy
• OWASP Top 10 2025
• OWASP Top 10 2025 A08: Software or Data Integrity Failures
• PortSwigger DOM-based XSS