Content Security Policy Report Only

Lack of Content-Security-Policy-Report-Only Header

Overview of the Vulnerability

A lack of the HTTP response header for Content-Security-Policy-Report-Only can lead to sensitive user data being retrieved by an attacker through Cross-Site Scripting (XSS) and click-jacking attacks without being detected. There are multiple HTTP response headers used in communication between the server and client which can be implemented to improve security against well documented vulnerabilities. For example, the Content-Security-Policy-Report-Only security header allows for a report to be generated each time the browser detects a violation from the Content Security Policy (CSP).

An advanced attacker can leverage a missing Content-Security-Policy-Report-Only header to launch XSS attacks and execute malicious code in a user’s browser without detection.

Business Impact

Not having a Content-Security-Policy-Report-Only header can lead to reputational damage and indirect financial loss to the business due to an advanced attacker’s ability to access data undetected. The degree of impact is dependent on the sensitivity of data being transmitted over the wire and the sophistication of the attacker’s abilities.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Navigate to the following endpoint using a browser: {{URL}}

3. Capture the request using the HTTP interception proxy and review the response

4. Observe that no Content-Security-Policy-Report-Only header is implemented within the HTTP headers

Proof of Concept (PoC)

The screenshot below demonstrates the missing header:

{{screenshot}}

Recommendation(s)

The Content-Security-Policy-Report-Only header should be set to include the directive report-uri to report violations of the CSP. For example:

Content-Security-Policy-Report-Only: report-uri; <policy-directive>

Additionally, the Content-Security-Policy header should be configured in a way that reduces the attack surface of the application. The CSP header is not set as a catch all value, due to its permissive design. Therefore, It is important to ensure that the CSP heading is not too permissive for the application's needs.

For more information, please see:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

• https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#2-content-security-policy-report-only-header

• https://owasp.org/www-community/controls/Content_Security_Policy/

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP/

• https://content-security-policy.com/