CWE-830: Inclusion of Functionality from Untrusted Control Sphere

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application includes web functionality (JavaScript, iframes, web components) from untrusted or user-controllable sources. Evidence includes user-controlled URLs in <script src>, <iframe src>, or dynamic import statements, successful loading of attacker-controlled code, or responses showing application trust boundaries violated by external code.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-830 typically indicate that functionality from an external control sphere was loaded or executed at runtime, such as:

• Plugins or modules sourced from external locations
• Runtime loading of code not controlled by the application owner
• Dependencies resolved from untrusted or mixed control domains
• Extension mechanisms without integrity enforcement

Evidence is based on observed runtime inclusion behavior, not on request parameters or payload syntax.

Mapping DAST Findings to Source Code

CWE-830 does not map to a single endpoint or parameter. The issue resides in how the application defines trust boundaries for executable functionality.

When tracing this issue in code and configuration, review:

• Plugin and extension loading mechanisms
• Dependency resolution and update paths
• Runtime loading of external modules or scripts
• Separation between application-owned code and externally controlled code
• Centralized controls governing which functionality may be executed

Remediation

Core Principle: Never execute or load functionality from an external control sphere unless its provenance and integrity are explicitly verified and enforced by the application.

Verification and Follow-Up Testing

After applying the fix:

1. Verify Trust Enforcement

• Confirm executable functionality originates only from approved control spheres
• Ensure integrity verification is enforced for externally sourced code

2. Test Edge Cases

• Extension or plugin loading paths
• Dependency updates and rollbacks
• Legacy or fallback inclusion mechanisms

Re-run DAST Scanner

Re-run the dynamic scanner to confirm untrusted functionality inclusion is no longer observed.

Additional Resources

• CWE-830: Inclusion of Functionality from Untrusted Control Sphere
• MDN: Content Security Policy
• OWASP Secure JavaScript Development
• OWASP Top 10 2025
• OWASP Top 10 2025 A08: Software or Data Integrity Failures