Content Security Policy

Lack of Content Security Policy Header

The main use of the content security policy header is to, detect, report, and reject XSS attacks. The core issue in relation to XSS attacks is the browser's inability to distinguish between a script that's intended to be part of your application, and a script that's been maliciously injected by a third-party. With the use of CSP(Content Security policy), we can tell the browser which script is safe to execute and which scripts are most likely been injected by an attacker.

• if we explore the execution of an XSS attack without CSP in place.

• With CSP in place, when we try to perform a XSS attack we notice that CSP header block the scripts since the inclusion of inline scripts is not permitted.

Overview of the Vulnerability

A lack of the HTTP response header for Content Security Policy (CSP) can lead to sensitive user data being retrieved by an attacker and increases the attack surface for Cross-Site Scripting (XSS) and click-jacking attacks. There are multiple HTTP response headers used in communication between the server and client which can be implemented to improve security against well documented vulnerabilities. For example, the Content-Security-Policy security header allows admins to permissively control the types of resources allowed to load for a page.

An advanced attacker can leverage a missing Content-Security-Policy header to launch XSS attacks and execute malicious code in a user’s browser.

Business Impact

Not having an Content-Security-Policy header can lead to reputational damage and indirect financial loss to the business due to an advanced attacker’s ability to access data through a XSS attack. The degree of impact is dependent on the sensitivity of data being transmitted over the wire and the sophistication of the attacker’s abilities.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Navigate to the following endpoint using a browser: {{URL}}

3. Capture the request using the HTTP interception proxy and review the response

4. Observe that no Content-Security-Policy header is implemented within the HTTP headers

Proof of Concept (PoC)

The screenshot below demonstrates the missing header:

{{screenshot}}

Recommendation(s)

The Content-Security-Policy header should be configured in a way that reduces the attack surface of the application. The CSP header is not set as a catch-all, due to its permissive design. Therefore, It is important to ensure that the CSP heading is not too permissive for the application's needs, and has directives appropriately set.

For more information, please see:

• https://owasp.org/www-community/controls/Content_Security_Policy/

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP/