« previous next »
Pages: [1]   Go Down

Author Topic: Often CSP implemented on websites does not follow best policies...  (Read 1255 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Often CSP implemented on websites does not follow best policies...
« on: January 18, 2020, 03:15:16 PM »
Random example: -https://fox-it.com/
CSP evaluator detects
Quote
default-src https:;
script-src https: 'unsafe-inline' 'unsafe-eval';
style-src https: 'unsafe-inline';
object-src 'none';
////////////////////////////////////
checkdefault-src
expand_more
errorscript-src
expand_more
errorhttps:
https: URI in script-src allows the execution of unsafe scripts.
error'unsafe-inline'
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
//////////////////////////////
checkdefault-src
expand_more
checkhttps:

errorscript-src
Host whitelists can frequently be bypassed. Consider using 'strict-dynamic' in combination with CSP nonces or hashes.
expand_more
errorhttps:
https: URI in script-src allows the execution of unsafe scripts.
error'unsafe-inline'
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
///////////////////////////////
https://fox-it.com
Directive "-https://fox-it.com" is not a known CSP directive.
RECX findings:
default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'; object-src 'none'
Page-meta-security headers CSP not set.

Also consider the B-grade score here: https://webcookies.org/cookies/fox-it.com/28884502?365360
Quote
Advanced trackers
Advanced user tracking and fingerprinting techniques are used by websites to bypass privacy protection in web browsers and increase tracking persistence.

Beacon_API
-b'navigator.sendBeacon' … -b'navigator.sendBeacon' … -b'navigator.sendBeacon'

X-XSS-Protection header is missing
Origin script-src 'unsafe-inline' allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-' or 'sha256-' instead

Origin script-src 'unsafe-eval' allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-' or 'sha256-' instead

Origin style-src 'unsafe-inline' allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-' or 'sha256-' instead

User tracking (blocked for me inside browser) -> -https://www.google-analytics.com/analytics.js

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »