Content Security Policy (CSP) implemented with insecure scheme
CONTENT SECURITY POLICY OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 CWE-16 ISO27001-A.14.2.5 WASC-15 WSTG-CONF-12
Content Security Policy is a security standard. It was introduced to protect from cross-site scripting and other injection attacks. This is achieved by restricting data access from different sources. Content Security Policy is the second layer of protection from Cross-site Scripting and related attacks. There are many web application with Content Security Policy implemented in an insecure way. Due to this configuration the site allows images or media to be loaded over HTTP.
The impacts of this type of vulnerability include:-
- Cross-site scripting - Cross-site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application.
- Clickjacking - Clickjacking is a malicious technique of tricking an end user into clicking on a malicious link.
- Code injection attacks - Code injection is the exploitation of a computer bug which includes processing invalid data.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Try to implement HTTPS in the URI declaration.
- Apply the whitelist and policies as strict as possible.
- Try enabling CSP on your website. The CSP can be enabled by sending the Content-Security-Policy in * HTTP response headers. This header will instruct the browser to apply the policies the administrator has specified.