Content Security Policy is a security standard. It was introduced to protect from cross-site scripting and other injection attacks. This is achieved by restricting data access from different sources. Content Security Policy is the second layer of protection from Cross-site Scripting and related attacks. There are many web application with Content Security Policy implemented in an insecure way. Due to this configuration the site allows images or media to be loaded over HTTP.
Impact
The impacts of this type of vulnerability include:-
- Cross-site scripting - Cross-site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application.
- Clickjacking - Clickjacking is a malicious technique of tricking an end user into clicking on a malicious link.
- Code injection attacks - Code injection is the exploitation of a computer bug which includes processing invalid data.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Try to implement HTTPS in the URI declaration.
- Apply the whitelist and policies as strict as possible.
- Try enabling CSP on your website. The CSP can be enabled by sending the Content-Security-Policy in * HTTP response headers. This header will instruct the browser to apply the policies the administrator has specified.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.
