Content Security Policy Not Set


Description

The application does not use a Content Security Policy. This header was first implemented first implemented in Firefox 4 and has been defined as a W3C recommendation and adopted by all major browsers save for partial support by Internet Explorer. CSP provides a standard set of directives that define approved sources of content that the browser may load. 

Impact

Attackers can trick a browser into loading malicious JavaScript when the application is loaded.  If an attacker can control the source of JavaScript resources, they can inject malicious code into an application. An attacker can use a cross site scripting attack against application users in order to download malware on to the user’s computer, steal session IDs, or trick users into turning over application credentials. Although a properly configured content security policy can be effective in preventing XSS and other related attacks, it should be implemented as a defense-in-depth approach and not used as a standalone remedy for these attacks.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply