Content Security Policy (CSP) implemented with unsafe-eval

OWASP 2013-A5 OWASP 2017-A6 CWE-79 ISO27001-A.14.2.5 WASC-15 WSTG-CONF-12

Content Security Policy is a security standard. It was introduced to protect from cross-site scripting and other injection attacks. This is achieved by restricting data access from different sources. Content Security Policy is the second layer of protection from Cross-site Scripting and related attacks. This application uses an Unsafe Content Security Policy Directive unsafe-eval. This vulnerability allows the use of string evaluation functions like eval. This may lead to the attacker to bypass Content Security Policy and exploits a Cross-site Scripting vulnerability successfully.

Example

        Content-Security-Policy:
            default-src 'self';
            script-src 'self' https://code.jquery.com;

    

Impact

This vulnerability leads to cross-site scripting and related attacks.

Mitigation / Precaution

Beagle recommends the following impacts:-

  • Set proper Content Security Policy
  • Remove unsafe eval from Content Security Policy Directive

Latest Articles