Content Security Policy (CSP) header not implemented

OWASP 2013-A5 OWASP 2017-A6 CWE-16 ISO27001-A.14.2.5 WASC-15 WSTG-CONF-12

One of the primary computer security standards is CSP (Content Security Policy). This header was introduced to prevent attacks like cross-site scripting (XSS), clickjacking and other code injection attacks. These attacks usually result in the execution of malicious content in the trusted web page context. This issue leads to vulnerabilities like Cross-site Scripting and related attacks. Not implementing Content Security Policy in the application misses out on the extra layer of security. CSP can be used to restrict script loading to a single domain. There are some keywords for setting CSP directives:-

  • none: Denies loading resources from anywhere.
  • self: Used to point to document’s URL.
  • unsafe-inline: This tag permits running inline scripts
  • unsafe-eval: Permits eval() function

Example The below code is the example of content security policy.

        Content-Security-Policy: script-src 'self';

    

Impact

Using this vulnerability, an attacker can:-

  • use this vulnerability to perform cross-site scripting.
  • perform clickjacking on the end users.
  • perform code injection attacks.

Mitigation / Precaution

Beagle recommends enabling CSP on your website by sending the Content-Security-Policy in HTTP response headers. The header must instruct the browser to apply the policies you specified.

        Content-Security-Policy: script-src 'self';                                 /* Response Header */
        <meta http-equiv="Content-Security-Policy" content="script-src 'self';">  /* Meta-tag */

    

If the website refers to other URLs, these URLs can be whitelisted as follows.

        Content-Security-Policy: script-src https://example.beaglesecurity.com;

    

Latest Articles