CSP: Wildcard Directive not scanning meta tag in html
938 views
Skip to first unread message
Sathya Duraisamy
Mar 3, 2022, 4:54:13 AM3/3/22
to OWASP ZAP User Group
Hi,
We get the following alert in one of our URL when we run ZAP scan.
The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:
script-src, style-src, img-src, connects-src, frame-src, font-src, media-src, object-src, manifest-src, worker-src, prefetch-src, form-action
The directive(s): form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.
And we tried to fix this by adding <meta http-equiv="Content-Security-Policy" content="form-action 'self';"> in our CSP file but ZAP still reports the above alert. Does ZAP scan the html meta tags for CSP related alerts?
BR,
Sathya D
Sathya Duraisamy
Mar 3, 2022, 6:01:53 AM3/3/22
to OWASP ZAP User Group
I also tried to add all the missing directive along with form-action to the html but still I end up with the alert
<meta http-equiv="Content-Security-Policy" content="frame-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self';">
kingthorin+owaspzap
Mar 3, 2022, 9:59:54 AM3/3/22
to OWASP ZAP User Group
No META is not currently assessed. Because there isn't a good way to union two policies, and if we also had to evaluate meta it would result in a whole slew of other alerts/issues for missing directives. Plus there are lots of directives that are simply not applicable when specified via meta. (Basically using meta tags is just a horrible way to deal with CSP, although it's "allowed" it really isn't the preferred industry standard.... for my 2 cents anyway.)
Travis Spencer
Mar 10, 2022, 9:19:23 AM3/10/22
to OWASP ZAP User Group
On Thursday, March 3, 2022 at 3:59:54 PM UTC+1 kingthorin+owaspzap wrote:
No META is not currently assessed. Because there isn't a good way to union two policies,
The spec says how to union them. Is there some ambiguity in the spec?
and if we also had to evaluate meta it would result in a whole slew of other alerts/issues for missing directives.
Why is that the case? Can you give an example?
Plus there are lots of directives that are simply not applicable when specified via meta.
I see only three:
1. report-uri,
2. frame-ancestors, and
3. sandbox
See note in section 3.3 of the previously linked spec.
(Basically using meta tags is just a horrible way to deal with CSP, although it's "allowed" it really isn't the preferred industry standard.... for my 2 cents anyway
It's part of the spec, in any case, and useful in securing applications in various scenarios. By ignoring this part of the spec, ZAP is reporting false alarms, diminishing its value and usefulness. My 2 cents anyway
kingthorin+owaspzap
Mar 11, 2022, 9:01:28 PM3/11/22
to OWASP ZAP User Group
For details about unioning (well intersecting) see: https://github.com/shapesecurity/salvation/issues/242#issuecomment-672946821 (I guess there's a chance they're wrong, I was trusting them to know the spec(s) better than I do.)
I was suggesting if we also had to evaluate meta we'd have to evaluate it as a separate policy (due to the union issue mentioned). Thus what is missed in one would be reported impacting the other and vice versa.
If the library we depend on adds a way to union (intersect) multiple policies then we'll definitely handle doing so.
In the mean time I can look at some initial META support that looks for un-supported directives, misplacement of the tag, etc.(I'll have to read further and see if there really is only 3 these days I really thought I'd previously read more but that could have been v2 or more of a random joe argument).
Travis Spencer
Mar 21, 2022, 6:46:26 AM3/21/22
to OWASP ZAP User Group
I have been playing with this library, and see what you mean about it having a very focused API. It can't use it to fetch CSP from an HTTP endpoint, it can't find all the policies from headers and meta tags, and it can't union/intersect any policies for you. Despite it being very focused, I did not find it hard to fill this gap. I won't go into fetching and parsing HTML documents over HTTP, but the merging and eval part went something like this:
First, I wanted to track the source of the serialized polices (headers and meta). I did this using a little data class:
record SerializedCspValues(Collection<String> headers, Collection<String> meta)
{
}
{
}
After fetching the HTML into an instance of the above record, I would process the results like this:
private static SerializedCspValues process(SerializedCspValues unprocessedSerializedCspValues)
{
// Cf. https://html.spec.whatwg.org/#attr-meta-http-equiv-content-security-policy step 4
var meta = unprocessedSerializedCspValues.meta().stream()
.filter(PolicyValidator::removeDisallowedDirectives)
.collect(Collectors.toList());
SerializedCspValues serializedCspValues = new SerializedCspValues(unprocessedSerializedCspValues.headers(), meta);
return serializedCspValues;
}
{
// Cf. https://html.spec.whatwg.org/#attr-meta-http-equiv-content-security-policy step 4
var meta = unprocessedSerializedCspValues.meta().stream()
.filter(PolicyValidator::removeDisallowedDirectives)
.collect(Collectors.toList());
SerializedCspValues serializedCspValues = new SerializedCspValues(unprocessedSerializedCspValues.headers(), meta);
return serializedCspValues;
}
Later, I would deserialize these into a Salvation Policy like this:
public Collection<Policy> deserialize(SerializedCspValues serializedCspValues)
{
var policies = Stream.concat(serializedCspValues.meta().stream(),
serializedCspValues.headers()
.stream())
.map(it -> Policy.parseSerializedCSP(it, _policyStatusCollector))
.collect(Collectors.toList());
return policies;
}
{
var policies = Stream.concat(serializedCspValues.meta().stream(),
serializedCspValues.headers()
.stream())
.map(it -> Policy.parseSerializedCSP(it, _policyStatusCollector))
.collect(Collectors.toList());
return policies;
}
Then, I would process them all against a set of rules:
{
// _policies is a Collection<Policy> type obtained
// from the deserializer shown above
return _policies.stream().allMatch(rules::match);
}
If any of these rules didn't match, I'd print the warnings/errors obtained from the Policy.PolicyErrorConsumer object (shown above as _policyStatusCollector).
From this, I think it's a small and straightforward job to update ZAP to support CSP in meta tags. If you send a branch, repo, etc., Sathya or I can help with this. If a complete example of what I did would be more useful, I can post that online somewhere. Just let us know what we can do to help.
kingthorin+owaspzap
May 27, 2022, 9:18:30 AM5/27/22
to OWASP ZAP User Group
Sorry for the delay. I lost track of this thread.
You could of course make a PR against the library itself:
Or if you feel it's more practical to implement this directly in the passive scan rule then:
- Scan rule unit test > https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java
- Dev info > https://www.zaproxy.org/docs/developer/
Reply all
Reply to author
Forward
0 new messages