Vulnerability
Content Security Policy
Content Security Policy is a security standard. It was introduced to protect from cross-site scripting and other injection attacks. This is achieved by restricting data access from different sources. This application uses an Unsafe Content Security Policy Directive unsafe-inline. This vulnerability allows the execution of inline scripts, which almost defeats the purpose of Content Security Policy. When this is approved, it’s effortless to exploit a Cross-site Scripting vulnerability on your website successfully.
Example
The attacker can send malicious code embedded in a script. The following is an example.
<script>sendMyDataToDemonicDotCom();</script>
Impact
The impacts of this type of vulnerability include:-
- Cross-site scripting - Cross-site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application.
- Clickjacking - Clickjacking is a malicious technique of tricking an end user into clicking on a malicious link.
- Code injection attacks - Code injection is the exploitation of a computer bug which includes processing invalid data.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Make sure to set a proper Content Security Policy.
- Try to remove all unsafe inline from Content Security Policy Directive.
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
