Content Security Policy is a security standard. It was introduced to protect from cross-site scripting and other injection attacks. This is achieved by restricting data access from different sources. This application uses an Unsafe Content Security Policy Directive unsafe-inline. This vulnerability allows the execution of inline scripts, which almost defeats the purpose of Content Security Policy. When this is approved, it’s effortless to exploit a Cross-site Scripting vulnerability on your website successfully.
Example
The attacker can send malicious code embedded in a script. The following is an example.
<script>sendMyDataToDemonicDotCom();</script>
Impact
The impacts of this type of vulnerability include:-
Cross-site scripting - Cross-site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application.
Clickjacking - Clickjacking is a malicious technique of tricking an end user into clicking on a malicious link.
Code injection attacks - Code injection is the exploitation of a computer bug which includes processing invalid data.
Mitigation / Precaution
Beagle recommends the following fixes:-
Make sure to set a proper Content Security Policy.
Try to remove all unsafe inline from Content Security Policy Directive.
Check your website security today and
identify vulnerabilities before hackers exploit them.