Medium Vulnerability Description
The server does not include a Content-Security-Policy header in HTTP(S) responses.
Impact
Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. To use CSP, the developer writes a set of rules to govern which servers an app can open connections to, limit the types of content it can download from those servers, and restrict the use of dangerous features like inline scripts and the eval function.
Verification and Attack Information
Praetorian identified this issue through a manual application walkthrough by reviewing HTTP headers. While doing so, Praetorian noted that Content-Security-Policy header was not included in server response headers.
Recommendation
Best practices for web applications suggest that servers should specify a Content Security Policy (CSP) to whitelist the actions that their users' browsers are allowed to take.
References
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
For Testing :
1. Open Login Page --> Inspect Element --> Network Tab --> Reload Page (Ctrl + F5)
2. Check Response Headers of all files --> Content-Security-Policy attribute is visible.
Assigning to Zeeshan
Content Security Policy is implemented but it can be further fine
tuned. for example adding script-src, style-src,connect-src directives.
Zeeshan Chishty (Inactive)
added a comment - Content Security Policy is implemented but it can be further fine
tuned. for example adding script-src, style-src,connect-src directives. Earlier value is also fine and secured, if following is the recommendation, then it will be fine.
Please confirm the following value and inform us.
Follow value for Content-Security-Policy
Value : script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self'
Recommended settings has been done on LB and Local.
Response Header : Content-Security-Policy
Value : script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self'
Verified the fix implemented
Zeeshan Chishty (Inactive)
added a comment - Verified the fix implemented Verified on Stage as the policy is implemented
Zeeshan Chishty (Inactive)
added a comment - Verified on Stage as the policy is implemented Hi Rakesh Roy
Assigning this ticket to you for functional testing.
Zeeshan Chishty (Inactive)
added a comment - Hi Rakesh Roy
Assigning this ticket to you for functional testing. Kindly check this , for more details discuss with Niteen.
As discussed with Niteen Surwase functional testing is not needed for this change, hence assigning back to dev team.
Kunal Kedari (Inactive)
added a comment - As discussed with Niteen Surwase functional testing is not needed for this change, hence assigning back to dev team. Hi Rakesh Roy
As attribute is changed for Newrelic so we will directly deploy it on stage. New relic is not available on Development and Testing environment.
As discussed with Niteen Surwase functional testing is not needed for this change, hence assigning back to dev team.
Kunal Kedari (Inactive)
added a comment - As discussed with Niteen Surwase functional testing is not needed for this change, hence assigning back to dev team.
Help URL
https://ole.michelsen.dk/blog/secure-your-website-with-content-security-policy.html
http://content-security-policy.com/
HTTP Response Header
Name : Content-Security-Policy
Value : default-src 'self' 'unsafe-inline' 'unsafe-eval';