Content Security Policy (CSP) implemented with unsafe-eval

By
Rejah Rehim
Published on
19 Jun 2022
Vulnerability

Content Security Policy is a security standard. It was introduced to protect from cross-site scripting and other injection attacks. This is achieved by restricting data access from different sources. Content Security Policy is the second layer of protection from Cross-site Scripting and related attacks. This application uses an Unsafe Content Security Policy Directive unsafe-eval. This vulnerability allows the use of string evaluation functions like eval. This may lead to the attacker to bypass Content Security Policy and exploits a Cross-site Scripting vulnerability successfully.

Example

        Content-Security-Policy:
            default-src 'self';
            script-src 'self' https://code.jquery.com;

    

Impact

This vulnerability leads to cross-site scripting and related attacks.

Mitigation / Precaution

Beagle recommends the following impacts:-

  • Set proper Content Security Policy
  • Remove unsafe eval from Content Security Policy Directive
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment