Vulnerable sites could be forced to serve malicious content, despite CSP protections
CSP was developed to provide an added layer of security against cross-site scripting (XSS) and content injection attacks by enabling site admins to restrict the loading of resources according to the security policy.
The idea behind the protection is that even if a page has an XSS vulnerability, it is prevented from executing untrusted – and potentially malicious – content.
This mechanism, however, was found to be flawed on sites that have a script-src policy of 'strict-dynamic'.
Japanese security researcher Masato Kinugawa found that if a target website contained an HTML injection flaw, an attacker could inject a reference to a copy of require.js – part of Firefox’s Developer Tools – and then use a known technique leveraging that library to bypass the CSP restrictions on executing injected scripts.
“No matter how strictly you set the CSP rules, the web-accessible resources of the extension is loaded ignoring the CSP,” said the researcher, who went public with his findings yesterday.
Thankfully, this bug was disclosed responsibly and Mozilla has already fixed the issue in Firefox 60 – the latest version of its open-source browser.
While the flaw is certainly moderate in comparison to others found in Mozilla’s latest security alert, Kinugawa’s discovery once again highlights the idea that CSP should not be considered a panacea to all XSS-related vulnerabilities.
“This latest research comes more than 12 months after a Google study revealed that CSPs could be bypassed on 95% of all websites, demonstrating the ongoing difficulties in implementing this technology,” Paul Johnston, researcher at PortSwigger Web Security, told The Daily Swig.