AnsweredAssumed Answered

Adding  Content-Security-Policy Header to Web Tier

Question asked by Todd Brown on Nov 28, 2016
Latest reply on Nov 28, 2016 by Edward Davis

Recent pen test found this as a vulnerability that needs to be patched.  I was wondering how to accomplish this on web tier.

 

The lack of Content Security Policy (CSP) headers, leaves a potential protection unimplemented for unknown or yet
to be discovered vulnerabilities in web applications. The remote web server in some responses sets a permissive
Content-Security-Policy (CSP) response header or does not set one at all.


The CSP header has been proposed by the W3C Web Application Security Working Group as a way to mitigate crosssite
scripting and clickjacking attacks. In order to exploit this flaw, an attacker would likely need to find a valid crosssite
scripting or clickjacking exploit.

 

CSP [CSP] is a pair of optional HTTP headers which instruct the browser on how it should handle certain content
which commonly presents browser security concerns.

 

By implementing a CSP Policy, many newer browsers (2012 and newer, with a notable exception of IE) will only load
security sensitive content, such as JavaScript, from the sources specified in the CSP HTTP Header. Options include
the ability to restrict inline scripts, or scripts from untrusted third party sources, both which can be common methods
for XSS injection.

 

When properly configured, CSP can also provide reports of malicious attempts against application users to the site
operator in the form of a JSON POST to a configurable location. This feedback can act as an important warning of
malicious activity from a source (the end user's browser) which has historically been a blind spot for site operators.
CSP should not however be seen as a way to mitigate implementing proper input and output validation. When
properly utilized it's most important feature is as a detective control, not a preventative one. Prevention still lies with
the programmer and application logic.

Reproduce

 

curl -ki https://xxx.xxx.xxx.xxx/console-selfservice/


HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Tue, 01 Nov 2016 15:54:36 GMT
Pragma: No-cache
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: console-selfservicejsessionid=
K2yWYY6cZZQlnvn5hHjVTq1NvSnf6Sy1hTh32T2LnYGR2n73Vj3t!-1655169621;
path=/console-selfservice; secure; HttpOnly
X-Powered-By: Servlet/3.0 JSP/2.2
X-Frame-Options: SAMEORIGIN

Outcomes