Content Security Policy (CSP) is a critical security feature designed to protect web applications from attacks like Cross-Site Scripting (XSS) by specifying which content sources are trusted. However, misconfigurations or inherent limitations can render CSP ineffective. Below, we explore common CSP misconfigurations, techniques attackers use to bypass CSP, strategies for proper CSP configuration, and real-world examples of CSP bypasses and their fixes.
1. Common CSP Misconfigurations Leading to Bypasses
2. Techniques Attackers Use to Bypass CSP
-
Exploiting JSONP Endpoints:
- JSONP endpoints can be manipulated to execute malicious scripts if not properly secured. Attackers can craft requests to trusted domains that return malicious JavaScript wrapped in a callback function.
-
Leveraging DOM-based XSS:
- Vulnerabilities in client-side scripts can allow attackers to inject malicious code that the browser executes, bypassing CSP if the policy doesn't cover client-side scripts adequately.
-
Utilizing CSP Bypass Payloads:
- Attackers craft payloads that exploit weaknesses in CSP configurations, such as using iframe srcdoc attributes or data URIs to execute malicious code.
3. Proper CSP Configuration to Mitigate Bypass Attempts
-
Avoiding Unsafe Directives:
- Refrain from using unsafe-inline and unsafe-eval in the script-src directive to prevent execution of untrusted scripts.
-
Specifying Trusted Sources:
- Define specific, trusted domains for content sources instead of using wildcards.
-
Implementing Nonces or Hashes:
- Use nonces (unique tokens) or hashes to allow only specific scripts to execute, enhancing security against injected scripts.
-
Including Comprehensive Directives:
- Ensure directives like object-src and base-uri are specified to control plugin content and base URL, respectively.
4. Real-World Examples of CSP Bypasses and Fixes
-
Bypassing via JSONP Endpoint:
- Example: An attacker discovers a JSONP endpoint on a trusted domain that echoes back user input without proper sanitization. By crafting a request to this endpoint with malicious code, the attacker can execute scripts in the context of the trusted site, bypassing CSP.
- Fix: Disable or properly secure JSONP endpoints, and avoid whitelisting domains that provide JSONP services unless absolutely necessary.
-
Exploiting Inline Scripts with unsafe-inline:
- Example: A CSP policy includes unsafe-inline in its script-src directive. An attacker injects an inline script into a web page, which the browser executes because the policy allows inline scripts.
- Fix: Remove unsafe-inline from the CSP policy and use nonces or hashes to permit only specific scripts.
-
Manipulating Base URL with Missing base-uri:
- Example: A web application lacks the base-uri directive in its CSP. An attacker injects a <base> tag pointing to a malicious domain, causing relative URLs to load scripts from the attacker's site.
- Fix: Include base-uri 'self' in the CSP to restrict the base URL to the same origin.
By understanding these common misconfigurations and attack techniques, and by implementing robust CSP configurations, web applications can significantly reduce the risk of CSP bypasses and enhance their security posture.
