X-Webkit-CSP
Lack of X-Webkit-Content-Security-Policy Header
Overview of the Vulnerability
A lack of the HTTP response header for X-Webkit-Content-Security-Policy can lead to sensitive user data being retrieved by an attacker through Cross-Site Scripting (XSS) attacks. There are multiple HTTP response headers used in communication between the server and client which can be implemented to improve security against well documented vulnerabilities. For example, the X-Webkit-Content-Security-Policy security header is used in legacy versions of browsers to prevent clients from loading reflected XSS attacks.
An advanced attacker can leverage a missing X-Webkit-Content-Security-Policy header to bypass security controls of an application to execute code within a user's browser.
Business Impact
Not having a X-Webkit-Content-Security-Policy header can lead to reputational damage and indirect financial loss to the business due to an advanced attacker’s ability to access data through a XSS attack. The degree of impact is dependent on the sensitivity of data being stored and transmitted by the application, and the sophistication of the attacker’s abilities.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Navigate to the following endpoint using a browser: {{URL}}
Capture the request using the HTTP interception proxy and review the response
Observe that no
X-Webkit-Content-Security-Policyheader is implemented within the HTTP headers
Proof of Concept (PoC)
The screenshot below demonstrates the missing header:
{{screenshot}}
Recommendation(s)
The X-Webkit-Content-Security-Policy header should not be used in modern browsers as it can create XSS vulnerabilities in websites. It has been deprecated by the Content Security Policy (CSP) security header. The CSP header, Content-Security-Policy, should be used to prevent XSS attacks.
The Content-Security-Policy header should be configured in a way that reduces the attack surface of the application. The CSP header is not set as a catch-all, due to its permissive design. Therefore, It is important to ensure that the CSP heading is not too permissive for the application's needs, and has directives appropriately set.
For more information, please see the following guides:
Last updated