Content Security Policy (CSP) is a computer security standard that provides an added layer of protection against Cross-Site Scripting (XSS), clickjacking, and other code injection attacks that rely on executing malicious content in the context of a trusted web page.These attacks are used for everything from data theft, to site defacement, to malware distribution.
- CSP is a way of whitelisting what your site is allowed to run.
- It is quite comprehensive and contains many keywords.
TYPICAL XSS ATTACK VECTORS
- Embedding external resources in the page.
- Writing script to the page source.
- Modifying the Document Object Model ( DOM ).
SCRIPT TO CHECK XSS VULNERABILITY :-
https://gist.github.com/jonathantneal/656b23d080994df1587f770f61d88c77
UNDERSTANDING CSP
- The below is the response header model of CSP.
HEADER :
Content-Security-Policy: script-src’self’ ‘unsafe-inline’ ‘unsafe-eval’ [uris]; style-src ‘self’ ‘unsafe-inline’ [uris]; img-src ‘self’ [uris]; frame-src [uris]; font-src ‘self’ [uris]; report-uri [uri]
- Declares approved sources of content that can run on the page.
- Also specifies how script and styles may be embedded in a page.
- Provides other defenses to protect from cross-site attacks.
If we run the above script in a properly configured CSP site , it will throw you the below error, instead of executing the actions.
