Author Topic: Unsafe CSP policy is hampering security of Verizon's onesearch.. (Read 3918 times)

polonus · « **on:** January 25, 2020, 06:57:53 PM »

See: https://webcookies.org/cookies/www.onesearch.com/28899335?930381
persistent tracking going on there.
P3P is a mostly abandoned standard for website privacy policy declaration that has little use today.
Please consider switching to DoNotTrack standard.
On CSP miconfiguration:

Quote

Content Security Policy
frame-ancestors 'none'; default-src 'self' -https://*.onesearch.com; script-src 'self' 'unsafe-inline' 'nonce-DUH8wO761xGKs9Odg+OtUg==' 'unsafe-eval'-https://*.onesearch.com; style-src 'self' 'unsafe-inline' -https://*.onesearch.com; img-src 'self' data: -https://*.onesearch.com; frame-src 'self'; media-src *; object-src *; connect-src -https://*.onesearch.com; font-src * data:; report-uri -https://www.onesearch.com/notracking/beacon/csp?src=privatesearch;
Policy delivery method: Content-Security-Policy
Enforcement: True
No base-uri allows attackers to inject base tags which override the base URI to an attacker-controlled origin. Set to 'none' unless you need to handle tricky relative URLs scheme

Consider adding block-all-mixed-content directive if your website is only accessible over TLS and you are certain it doesn not have any legacy plaintext resources. Otherwise you may add adding upgrade-insecure-requests directive if your website may still have some legacy plaintext HTTP resources and you want them to be still available rather than blocked

You should definitely try using 'strict-dynamic' to eliminate those long lists of trusted third-party scripts

Consider using script-src 'report-sample' as it significantly helps debugging CSP reports. See specification

Origin script-src 'unsafe-inline' allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-' or 'sha256-' instead

Origin script-src 'unsafe-eval' allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-' or 'sha256-' instead

Origin style-src 'unsafe-inline' allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-' or 'sha256-' instead

The img-src data: origin allows bypassing CSP and execution of inlined untrusted scripts

The font-src data: origin allows bypassing CSP and execution of inlined untrusted scripts

Content Security Policy (CSP) implemented unsafely.

This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.

Also consider these B+ standard scan results: https://observatory.mozilla.org/analyze/www.onesearch.com

Tracking connection security: This website is secured
100% of the trackers on this site are helping protect you from NSA snooping. Why not thank onesearch dot com for being secure?

All trackers
At least 2 third parties know you are on this webpage.

-cdn.onesearch.com
-www.onesearch.com -www.onesearch.com

Tracker is tracking with some safety measures.

Tracker does not support secure transmission.

HTML validation check report: https://validator.w3.org/nu/?doc=https%3A%2F%2Fwww.onesearch.com%2F
-

Quote

<panel class="drweb_select-panel" style="display: none;">
<div class="drweb_tool-panel">
<div class="drweb_tool-icon drweb_tool-icon_show" data-co="restore-btn" title="restore"></div>
<div class="drweb_tool-icon drweb_tool-icon_remove" data-co="remove-btn" title="remove"></div>
<div class="drweb_fit-btn" data-co="fit-btn" title=""></div>
</div>
<span data-co="label">Select the elements you want to hide on this page.</span>
<div class="drweb_btn" data-co="save">Save</div>
<div class="drweb_btn" data-co="cancel">Cancel</div>
<div class="drweb_panel-plug" data-co="plug" style="display: none"></div>
</panel>

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

polonus · « **Reply #1 on:** January 26, 2020, 12:07:53 AM »

L.S.

Lately I experience that loads of CSP policies for websites are not being set according to best policies.
Often CSP settings are conflicting with used technologies for a specific website.

In our case at hand there seems only JavaScript being involved.
So that will deminish the relative severity of what is being alerted.

With CSP Evaluator extension in the browser one can establish less optimal settings at a glance.
For the website mentioned -

Quote

Medium severity finding:
script-src

help_outline'self'
'self' can be problematic if you host JSONP, Angular or user uploaded files.
remove'unsafe-inline'
unsafe-inline is ignored if a nonce or a hash is present. (CSP2 and above)
check'nonce-7VEBQ7JXVhm9oEPE84mErA=='
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
help_outlinehttps://*.onesearch.com
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.

High severity finding:
Object-src
expand_more
error*
object-src should not allow '*' as source
Can you restrict object-src to 'none' only?

High severity finding:
base-uri [missing]
Missing base-uri allows the injection of base tags. They can be used to set the base URL for all relative (script) URLs to an attacker controlled domain. Can you set it to 'none' or 'self'?

Technology used JavaScript: JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| onformdata object| onpointerrawupdate function| _scrollIntoView object| lst object| w object| d function| _initCrypto object| YUI object| Y object| YAHOO object| items object| elems object| sbInput object| saTray boolean| ieVer boolean| stopPropertychange function| resetHighlight function| highlight number| atfCount

Also consider: Results from scanning URL: -https://www.onesearch.com/
Number of sources found: 18
Number of sinks found: 64

& https://sitereport.netcraft.com/?url=https%3A%2F%2Fwww.onesearch.com
& https://urlscan.io/result/219364ff-bd88-438e-8895-972ad2944a66

Besides there is retirable code detected via Retire.JS:

Quote

Retire.js
YUI 3.10.0 Found in -https://cdn.onesearch.com/zz/combo?yui:3.10.0/build/anim-color/anim-color-min.js&yui:3.10.0/build/anim-xy/anim-xy-min.js&yui:3.10.0/build/anim-curve/anim-curve-min.js&yui:3.10.0/build/anim-node-plugin/anim-node-plugin-min.js&yui:3.10.0/build/anim-scroll/anim-scroll-min.js
Vulnerability info:
High CVE-2013-4940
but without any detected DOM-XSS sources and sinks

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

polonus · « **Reply #2 on:** January 26, 2020, 01:03:03 PM »

First we have to establish whether there are real compatibility problems (for instance with JSON or angular.js etc.
Then we have various checks for versions of CSP 1, 2, 3 and a nonce-based backwards compatibility for version 3

Here https://csp-evaluator.withgoogle.com/

Quote

Evaluated CSP as seen by a browser supporting CSP Version 3
expand/collapse all
clearpaste
Directive "paste" is not a known CSP directive.
expand_more
checkCSP
checkorframe-ancestors
check'none'

checkdefault-src
expand_more
local_atmscript-src
Host whitelists can frequently be bypassed. Consider using 'strict-dynamic' in combination with CSP nonces or hashes.
expand_more
help_outline'self'
'self' can be problematic if you host JSONP, Angular or user uploaded files.
remove'unsafe-inline'
unsafe-inline is ignored if a nonce or a hash is present. (CSP2 and above)
check'nonce-Ki50iiWVirZfbXWIisvyow=='
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
help_outlinehttps://*.onesearch.com
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.

checkstyle-src
expand_more
checkimg-src
expand_more
checkframe-src
expand_more
checkmedia-src
expand_more
errorobject-src
expand_more
error*
object-src should not allow '*' as source
Can you restrict object-src to 'none' only?

checkconnect-src
expand_more
checkfont-src
expand_more
checkreport-uri
expand_more
clearurl
Directive "url" is not a known CSP directive.
expand_more
check(starting
checkwith
errorhttp://
Allow only resources downloaded over HTTPS.
checkor
checkhttps://)
checkhere.

errorbase-uri [missing]
Missing base-uri allows the injection of base tags. They can be used to set the base URL for all relative (script) URLs to an attacker controlled domain. Can you set it to 'none' or 'self'?

pol

polonus · « **Reply #3 on:** January 26, 2020, 03:40:30 PM »

Compare this to the relative rather secure CSP ;policy
(just one potential medium security finding = help_outlinescript-src
expand_more
help_outlinegithub.githubassets.com
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries) for -github.com

Quote

default-src 'none';
base-uri 'self';
block-all-mixed-content;
connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com;
font-src github.githubassets.com;
form-action 'self' github.com gist.github.com;
frame-ancestors 'none';
frame-src render.githubusercontent.com;
img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com;
manifest-src 'self';

Google's online CSP Evaluator does not kick up any security finding:

Quote

Evaluated CSP as seen by a browser supporting CSP Version 3
expand/collapse all
checkdefault-src
expand_more
checkbase-uri
expand_more
checkblock-all-mixed-content
expand_more
checkconnect-src
expand_more
checkfont-src
expand_more
checkform-action
expand_more
checkframe-ancestors
expand_more
checkframe-src
expand_more
checkimg-src
expand_more
checkmanifest-src
expand_more

Also consider these results (privacy & Security Report - CSP findings for github dot com:

Quote

Content Security Policy
default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com
Policy delivery method: Content-Security-Policy
Enforcement: True
Policy that has script-src but not object-src allows script execution by injecting plugin resources. Please read our CSP guidance for more details for more details

The img-src data: origin allows bypassing CSP and execution of inlined untrusted scripts

You should definitely try using 'strict-dynamic' to eliminate those long lists of trusted third-party scripts

Consider using script-src 'report-sample' as it significantly helps debugging CSP reports. See specification

Origin style-src 'unsafe-inline' allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-' or 'sha256-' instead

polonus