Detections
Analytics
Permissive Content Security Policy Detected
low Web App Scanning Plugin ID 112554
Language:
Synopsis
Permissive Content Security Policy DetectedDescription
Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.One or several permissive directives have been detected. See output for more details.
Solution
Content Security Policies are designed to have control over where resources on a website can be loaded from. Implementing a policy depends on the application type (web applications, APIs...) and the directives have to be specified according to this.For web applications, The following directive configurations can usually be applied to restrict the policy:
- 'frame-ancestors' should be set to 'none' to avoid rendering of page in <frame>, <iframe>, <object>, <embed>, or <applet>.
- 'form-action' should be explicitly set to 'self' to restrict form submission to the origin which the protected page is being served.
- Any of the 'unsafe-*' directives indicate that the action is considered unsafe and it is better to refactor the code to avoid using HTML event handlers that rely on this.
- data: https: http: URI in 'default-src', 'object-src', 'base-uri' & 'script-src' allow execution of unsafe scripts and should not be set.
- * and *.* in 'script-src' and other '-src' directives allows execution of unsafe scripts and should be restricted.
- 'default-src' should be explicitly set to 'self' or 'none' and individual directives required for each source type set more permissively as required
- * and *.* in 'default-src' allows various unconfigured parameters to default to a unsafe configuration and then should not be set.
For APIs, there should not be any need to load resources like scripts or frames, so specifying a strict policy using default-src 'none' and frame-ancestors 'none' is recommended.
If some unsafe directives are required for business continuity in your environment, apply mitigating controls suitable for your environment and work with the vendors of the products for which these directives are required. Note that different CSP versions exist, and that some of the directives may not work depending on the browser versions used when accessing the web application.
See Also
https://content-security-policy.com/
https://csp-evaluator.withgoogle.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
https://developers.google.com/web/fundamentals/security/csp/
Plugin Details
Severity: Low
ID: 112554
Type: remote
Family: HTTP Security Header
Published: 2/26/2019
Updated: 4/22/2024
Scan Template: basic, config_audit, full, overview, pci, quick, scan
Risk Information
VPR
Risk Factor: Low
Score: 2.2
CVSS v2
Risk Factor: Low
Base Score: 2.6
Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Low
Base Score: 3.1
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score Source: Tenable
CVSS v4
Risk Factor: Low
Base Score: 2.1
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score Source: Tenable
Reference Information
CWE: 1021
OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A4
WASC: Application Misconfiguration
CAPEC: 103, 181, 222, 504, 506, 654
DISA STIG: APSC-DV-002560
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.4.3
PCI-DSS: 3.2-6.5