Content Security Policy (CSP) header cannot be parsed successfully
OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 CWE-16 WASC-15 WSTG-CONF-12
Content Security Policy (CSP) is one of the essential computer security standards for establishing a proper and secure site. It was introduced to prevent attacks like cross-site scripting (XSS), clickjacking and other code injection attacks. This application is using Cross-Origin Resource Sharing incorrectly. Hence the usage of the Content Security Policy is not supported and will be ignored by the browsers. There are many web-application where Content Security Policy is implemented inside the body tag.
The impacts of this type of vulnerability include:-
- Cross-site scripting - Cross-site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application.
- clickjacking - Clickjacking is a malicious technique of tricking an end user into clicking on a malicious link.
- code injection attacks - Code injection is the exploitation of a computer bug which includes processing invalid data.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Declare Content Security Policy in HTTP headers or with meta tags inside the head element instead of the body.