top of page
Search

Preventing XSS and Data Injection Attacks with Content Security Policy (CSP)

  • Abdul Aziz
  • Oct 2, 2021
  • 2 min read

The Content Security Policy can be implemented at the server end or in the code to prevent the attacks like Cross-Site Scripting (XSS) and Packet Sniffing attacks or data injection attacks. CSP is an additional layer of security which is returned to user agent by the server.

It is the response header that helps in controlling what resources the user agent is allowed to load for that page, in case of the XSS exploitation the adversaries can easily add a malicious code/content in the website and let them to be executed on the user’s browsers.

A website can be tested for the security headers using the tools like BurpSuite, Postman, SoapUI and others. In this article, BurpSuite is used for this pentest.




Proof Of Concept:

To test and validate the CSP control, BurpSuite is used. As per the picture below, a resource of xyz website is requested from the user agent which in this case is the user's browser, and in the response from the server on that specific request, no CSP header can be observed.


Implementing the CSP:


Prior to implement the CSP, the administrator/security analyst must ensure the resources that been used from any trusted sources, any content that possibly be linked from different resource (website) can be blocked if not allowed in the CSP. So its basically, "allow specified resource and block all others"


CSP can be designed via following syntax;


Content-Security-Policy: default-src 'self' trusted.com *.trusted.com

Above code describes the following;

  • default-src 'self' : The website to load resources that originate from website itself

  • trusted.com: This could be any site that we allow to be loaded.

  • *.trusted.com: We used the wildcard mask to allow all its subdomains to be loaded if a user requests for it

Note: Several other properties can be used to ensure the security and to prevent the execution of contents/scripts that are not website or self originated


As per the following snap, the content-security-policy can be observed in the response header which defines the nwhitelisting of resources



 
 
 

Comments

Post: Blog2_Post
  • Facebook
  • Twitter
  • LinkedIn

©2021 by cyty. Proudly created with Wix.com

bottom of page