From CSP to OMG: How a Tiny Misconfigured Header Let Me Run JS Anywhere
1 min read
Summary
A misconfigured Content-Security-Policy (CSP) header on a website has been found to have left it open to abuse from security researcher Iski unfold.
CSP is designed to help prevent cross-site scripting attacks by restricting the sources from which content can be loaded.
In this case, the researcher discovered that the header was allowing content to be loaded from any source, and even allowed inline scripting, which is extremely rare.
This would allow an attacker to potentially take full control of a site’s functionality, running any code they desire.
It is suggested that the default CSP setting of “self” should be used unless there is a specific reason not to, and then sourced should be explicitly allowed and cached to prevent these kinds of mistakes.
This discovery was made using a Recon Nights script that scrubs domains from JavaScript files, subdomains, and XML endpoints.