Test for overly permissive Content Security Policy (CSP).
- CSP: script-src (Mozilla)
- OWASP CSP Cheat Sheet (OWASP)
- Content Security Policy (CSP) Bypass (HackTricks)
- CSP bypass: self + ‘unsafe-inline’ with Iframes (HackTricks)
💡 See the OWASP Testing Guide on WSTG-CONF-12.
In HTTP response headers, the content security policy header should be checked to validate that it is not too permissive.
CSP can be delivered to the user agent in different techniques.
Content-Security-PolicyHTTP response header field. This is the most preferred technique.<meta>HTML element withhttp-equivattribute set toContent-Security-Policy. These elements need to be placed as early as possible in the documents.Content-Security-Policy-Report-OnlyHTTP response header field. This header is used when the developer is unsure of the CSP behavior and wants to monitor it, instead of enforcing it.
POC
Create file csp_poc.php
<?php
header("Content-Type: application/javascript");
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Headers: access");
header("Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS");
header("Access-Control-Allow-Credentials: true");
?>
alert("jQuery XSS POC for: " + document.domain);Start an HTTP server
cd <website directory>
# Python 2.7
python -m SimpleHTTPServer 80
# Python 3.x
python -m http.server
# Windows
C:\Python27\python.exe -m SimpleHTTPServer 8081Visit the vulnerable website – the one with the CSP too permissive.
Open the web console – TO BE VALIDATED, NOT WORKING YET
$.get('http://127.0.0.1:8081/csp_poc.php')Chrome & Firefox console – TO BE VALIDATED, NOT WORKING YET
fetch('http://127.0.0.1:8081/csp_poc.php')Works in Chrome (returns PromiseState: fullfilled)
fetch('https://dummyimage.com/100/ff6666&text=CSP')
fetch('https://gist.github.com/modalsoul/3868393.js')Not vulnerable if message:
Access to fetch at 'http://127.0.0.1:8081/csp_poc.php' from origin '<vulnerable url>' has been blocked by CORS policy...Cross-Origin Request BlockedThe command demonstrate the ability to reach out to an untrusted domain to execute malicious script.
Reporting
| CVSS Score v3 | 0 |
| CVSS Vector v3 | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N&version=3.1 |
English
| Title | Insecure Content Security Policy (CSP) |
| Description | By injecting the Content-Security-Policy (CSP) headers from the server, the browser is aware and capable of protecting the user from dynamic calls that will load content into the page currently being visited. When CSP is misconfigured or not set, an attacker might be able to run malicious JavaScript, which could lead to partial compromise of confidentiality and integrity. The exploitability of this flaw depends on whether an attacker can inject JavaScript into the application, or whether any allowed script sources can be abused to host potentially malicious files. Even on a fully static website, which does not accept any user input, a CSP can be used to enforce the use of Subresource Integrity (SRI). This can help prevent malicious code being loaded on the website if one of the third-party sites hosting JavaScript files (such as analytics scripts) is compromised. |
| Steps to reproduce | Using Burp Suite tool, intercept requests and visit the website. The Content-Security-Policy HTTP header is not set in the server response. Include a screenshot. Open a browser (Chrome was used) and visit the website. Open the Inspector and go to the Console tab. The command demonstrate the ability to reach out to an untrusted domain. fetch(‘https://loremflickr.com/320/240/alpaca’) Include a screenshot. |
| Remediation | It is recommended to ensure that the Content Security Policy (CSP) is set and does not contain weak policy configurations, or sources known to host files which can be used to bypass the CSP. Consider the risk associated with allowing “unsafe-inline” and “unsafe-eval” policies. |
French
| Title | |
| Description | |
| Steps to reproduce | |
| Remediation | Il est recommandé de . |