Product
Features Why Beagle Security? API Security Testing DevSecOps Cosmog: Private Tunnel WordPress Security Testing OWASP Security Testing Free Security Testing
Solutions
Pricing
NewFree tools
Website Security Assessment SSL Certificate Checker Domain Expiry Checker
Resources
Blog Developer Docs Help Center Guides Whitepapers Vulnerability Index Partners
Blog Home
Content Security Policy
19 Jun 2018

Content Security Policy implemented with unsafe inline

19 Jun 2018
OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 CWE-79 ISO27001-A.14.2.5 WASC-15 WSTG-CONF-12

Content Security Policy is a security standard. It was introduced to protect from cross-site scripting and other injection attacks. This is achieved by restricting data access from different sources. This application uses an Unsafe Content Security Policy Directive unsafe-inline. This vulnerability allows the execution of inline scripts, which almost defeats the purpose of Content Security Policy. When this is approved, it’s effortless to exploit a Cross-site Scripting vulnerability on your website successfully.

Example

The attacker can send malicious code embedded in a script. The following is an example.

        <script>sendMyDataToDemonicDotCom();</script>

Impact

The impacts of this type of vulnerability include:-

  • Cross-site scripting - Cross-site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application.
  • Clickjacking - Clickjacking is a malicious technique of tricking an end user into clicking on a malicious link.
  • Code injection attacks - Code injection is the exploitation of a computer bug which includes processing invalid data.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Make sure to set a proper Content Security Policy.
  • Try to remove all unsafe inline from Content Security Policy Directive.




Latest Articles

XML Injection
December 6 2022
Top Black Friday and Cyber Monday SaaS Deals [2022]
November 21 2022
Patch released for the critical OpenSSL vulnerability (CVE-2022-3602 & CVE-2022-3786)
November 2 2022
Beagle Security is now a CERT-In Empaneled Information Security Audit Provider
September 29 2022
DomeCTF 2022
September 26 2022

Explore morearrow



Popular in Injection

Union Query SQL Injection (SQLi)
July 4 2018
Stacked Queries SQL Injection (SQLi)
July 4 2018
SQL injection(SQLi)
July 4 2018
Inline Queries SQL Injection (SQLi)
July 4 2018
Error based SQL Injection (SQLi)
July 4 2018

Explore morearrow

Categories

Client Side URL Redirect HSTS Cookies Attributes IBM SQL injection injection Time Based Blind SQL Injection SSL Injection CRLF Content Security Policy CSRF CORS Information Leakage status code SRI metadata X-XSS-Protection owasp Clickjacking XSS Cookies Directory traversal DOM XSS RFI SQL Injection Blind SQL Injection XML Injection blog TLS WordPress web security SMB Cyber attacks AI Web server Wordpress Data Security DOMECTF2020 Container security CMS Security Code Execution Content security policy Htaccess Bypass DOMECTF2021 Press Webinar DevSecOps Web Security Cyber Attacks DOMECTF2022 openssl

Latest Articles

Explore More
Top Black Friday and Cyber Monday SaaS Deals [2022]
Top Black Friday and Cyber Monday SaaS Deals [2022]
21 Nov 2022
Patch released for the critical OpenSSL vulnerability (CVE-2022-3602 & CVE-2022-3786)
openssl
Patch released for the critical OpenSSL vulnerability (CVE-2022-3602 & CVE-2022-3786)
02 Nov 2022
Beagle Security is now a CERT-In Empaneled Information Security Audit Provider
Press
Beagle Security is now a CERT-In Empaneled Information Security Audit Provider
29 Sep 2022
DomeCTF 2022
DOMECTF2022
DomeCTF 2022
26 Sep 2022
How CISCO got Attacked by Yanluowang Ransomware Gang
Cyber Attacks
How CISCO got Attacked by Yanluowang Ransomware Gang
18 Aug 2022
Zero-Day Vulnerabilities in Web Applications
Web Security
Zero-Day Vulnerabilities in Web Applications
18 Jul 2022
How DevSecOps is a Key Enabler for Digital Transformation
DevSecOps
How DevSecOps is a Key Enabler for Digital Transformation
10 Jul 2022
Session Fixation Attack
Session Fixation Attack
29 Jun 2022
Beagle Security named a Leader in G2 Summer 2022 Reports
Press
Beagle Security named a Leader in G2 Summer 2022 Reports
28 Jun 2022
Server-Side Includes (SSI) Injection
Server-Side Includes (SSI) Injection
24 Jun 2022
Missing Function Level Access Control OWASP 2013
owasp
Missing Function Level Access Control OWASP 2013
24 Jun 2022
Lucky Thirteen attack against implementations of the Transport Layer Security
SSL
Lucky Thirteen attack against implementations of the Transport Layer Security
19 Jun 2022
8 Login Tips to Stay Safe Online
Data Security
8 Login Tips to Stay Safe Online
16 Jun 2022
Spring4Shell Vulnerability: Analysis and Mitigation
Code Execution
Spring4Shell Vulnerability: Analysis and Mitigation
08 Jun 2022
Zoom Patches “Zero-Click” RCE Bug
Zoom Patches “Zero-Click” RCE Bug
31 May 2022
A Comprehensive Guide to Web Application Security
web security
A Comprehensive Guide to Web Application Security
26 May 2022
Revealing phpinfo()
Revealing phpinfo()
24 May 2022
Two-factor authentication: How Beagle Security handles 2FA security testing
AI
Two-factor authentication: How Beagle Security handles 2FA security testing
08 May 2022
X-Content-Type-Options header not implemented
X-Content-Type-Options header not implemented
05 May 2022
X-Content-Type-Options header cannot be recognized
X-Content-Type-Options header cannot be recognized
05 May 2022
Symantec SSL/TLS check
Symantec SSL/TLS check
02 May 2022
PHP session.use_trans_sid Session Hijacking
PHP session.use_trans_sid Session Hijacking
02 May 2022
PHP expose_php is on
PHP expose_php is on
02 May 2022
State of Application Security in the IT Sector
Webinar
State of Application Security in the IT Sector
19 Apr 2022
Factoring RSA Export Keys (FREAK) Attack
SSL
Factoring RSA Export Keys (FREAK) Attack
19 Apr 2022
Fingerprinting Web Server
Web server
Fingerprinting Web Server
04 Apr 2022
Explore More