Content Security Policy implemented with unsafe inline

By
Prathap
Published on
19 Jun 2022
1 min read
Vulnerability
Content Security Policy

Content Security Policy is a security standard. It was introduced to protect from cross-site scripting and other injection attacks. This is achieved by restricting data access from different sources. This application uses an Unsafe Content Security Policy Directive unsafe-inline. This vulnerability allows the execution of inline scripts, which almost defeats the purpose of Content Security Policy. When this is approved, it’s effortless to exploit a Cross-site Scripting vulnerability on your website successfully.

Example

The attacker can send malicious code embedded in a script. The following is an example.

        <script>sendMyDataToDemonicDotCom();</script>

    

Impact

The impacts of this type of vulnerability include:-

  • Cross-site scripting - Cross-site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application.
  • Clickjacking - Clickjacking is a malicious technique of tricking an end user into clicking on a malicious link.
  • Code injection attacks - Code injection is the exploitation of a computer bug which includes processing invalid data.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Make sure to set a proper Content Security Policy.
  • Try to remove all unsafe inline from Content Security Policy Directive.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Prathap
Prathap
Co-founder, Director
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.