diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy.md index 463a200c56..a9c6fd2928 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy.md @@ -18,13 +18,13 @@ Content Security Policy supports directives which allow granular control to the To test for misconfigurations in CSPs, look for insecure configurations by examining the `Content-Security-Policy` HTTP response header or CSP `meta` element in a proxy tool: -- `unsafe-inline` directive enables inline scripts or styles making the applications susceptible to XSS attacks. -- `unsafe-eval` directive allows `eval()` to be used in the application. +- `unsafe-inline` directive enables inline scripts or styles, making the applications susceptible to [XSS](../07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.md) attacks. +- `unsafe-eval` directive allows `eval()` to be used in the application and is susceptible to common bypass techniques such as data URL injection. - `unsafe-hashes` directive allows use of inline scripts/styles, assuming they match the specified hashes. - Resources such as scripts can be allowed to be loaded from any origin by the use wildcard (`*`) source. - Also consider wildcards based on partial matches, such as: `https://*` or `*.cdn.com`. - Consider whether allow listed sources provide JSONP endpoints which might be used to bypass CSP or same-origin-policy. -- Framing can be enabled for all origins by the use of wildcard (`*`) source for `frame-ancestors` directive. +- Framing can be enabled for all origins by the use of wildcard (`*`) source for `frame-ancestors` directive. Missing of frame-ancestors directive in the Content-Security-Policy header makes applications vulnerable to [clickjacking](../11-Client-side_Testing/09-Testing_for_Clickjacking.md) attacks. - Business critical applications should require to use a strict policy. ## Remediation @@ -51,6 +51,10 @@ script-src 'nonce-r4nd0m'; object-src 'none'; base-uri 'none'; ``` +- `script-src` directive is used to restrict the sources from which scripts can be loaded and executed. +- `object-src` directive is used to restrict the sources from which objects can be loaded and executed. +- `base-uri` directive specifies the base URL for resolving relative URLs in the page. Without this directive, the page becomes vulnerable to HTML base tag injection attacks. + ## Tools - [Google CSP Evaluator](https://csp-evaluator.withgoogle.com/)