Content Security Policy (CSP) Header Not Set

[Binh Nguyen]

I wonder if someone could help me?  My zap scan complains about this, but I use curl and can see that the csp header IS set.

I'm sure I'm missing something.

Description

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

URL
https://xxx/login.jsf
Method
POST
Parameter

Attack

Evidence

Instances
1
Solution

Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.

Reference
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
http://www.w3.org/TR/CSP/
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
http://caniuse.com/#feat=contentsecuritypolicy
http://content-security-policy.com/
CWE Id
693
WASC Id
15
Plugin Id
10038

My curl command:

$ curl -k -i -X POST https://xxx/login.jsf
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
X-Content-Security-Policy: img-src 'self' data:;connect-src 'self';frame-src 'self';font-src 's                                                                        elf';media-src 'self';object-src 'self';manifest-src 'self';form-action 'self';frame-ancestors                                                                         'self';script-src 'self'
Set-Cookie: JSESSIONID=29q4TrVR-XuuOqmt52MS1VL4IGtVqhi0m1FAfiPX.egh-telsalfe4; path=/; secure;                                                                         HttpOnly; SameSite=Strict
X-XSS-Protection: 1
Pragma: no-cache
X-Frame-Options: DENY
Content-Security-Policy: script-src 'self';script-src-elem 'self';script-src-attr 'self';style-                                                                        src 'self';style-src-elem 'self';style-src-attr 'self';img-src 'self' data:;connect-src 'self';                                                                        frame-src 'self';font-src 'self';media-src 'self';object-src 'self';manifest-src 'self';worker-                                                                        src 'self';prefetch-src 'self';form-action 'self' 'nonce-ODgyYzIwZTEtMWI5YS00Mjc1LThjNjAtNGYyOD                                                                        M4MTc4OWY2';
X-WebKit-CSP: img-src 'self' data:;connect-src 'self';frame-src 'self';font-src 'self';media-sr                                                                        c 'self';object-src 'self';manifest-src 'self';form-action 'self';frame-ancestors 'self';script                                                                        -src 'self'
Date: Wed, 09 Aug 2023 14:01:11 GMT
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=UTF-8
Content-Length: 5116

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"><head id="j_idt2"><link type="text/css" rel="stylesh  

Thanks.

Binh

[psiinon]

Hi Binh,

Which version of ZAP are you running, and how are you running it?

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/fb876bfa-13e2-48ce-b01e-60ad476615den%40googlegroups.com.

--

ZAP Project leader

[Binh Nguyen]

Hi Simon,
I scanned with both ZAP version 2.13.0 and 2.11.1, and they both say the same thing:  Content Security Policy (CSP) Header Not Set   Thanks!
Binh

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAORxfg5Mueq9LU1eJNDiSehQFYZf%3D3J4Dq7hrrskfEVp-Sk6SA%40mail.gmail.com.

[psiinon]

Can you give the full alert details for 2.13.0. I'm hoping they will give us more information.

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAP7h%2BBmn52ZD5mykJMRPK6g-E6%3DSP4wcgk3E7hBkeb22O1%3DV7A%40mail.gmail.com.

--

ZAP Project leader

[psiinon]

Also perform a "Check for updates" and update any add-ons that have changed.

It looks like you are using an older version of that scan rule.

Cheers,

Simon

--

ZAP Project leader

[Binh Nguyen]

Thanks!  I'll ask my sysAdmin to do as you suggested.

Binh

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAORxfg6zZL5OeG6gJ2FX1bpyQG9H2%2BQDGX1G5BDFz-yGK%2B77Qg%40mail.gmail.com.

[Binh Nguyen]

I installed the latest ZAP on my laptop.  

So it turns out ZAP got a 500 Internal Error and marked it as CSP not set.  I don't yet know why it got the error when using curl returns the page correctly, but regardless, should a 500 error trigger this alert?

[psiinon]

If the 500 page does not have CSP set then ZAP will report it.

I've seen error pages that are vulnerable to XSS :)

Whether you consider this to be a problem you want to fix is your decision...

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAP7h%2BBnOan2fvTwpvp4UckU3%2Bj4WA3cwVEYK_NYs62qiWNGwaw%40mail.gmail.com.

--

ZAP Project leader

[Binh Nguyen]

Thanks for your help Simon.  I'll work on this.

Binh

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAORxfg7PsN90p%3DwaWRDa1r9OQzvkN1ALS1QeR4vQV40oW9G_Qw%40mail.gmail.com.