Create rule S7039: Content Security Policies should be restrictive (#4104)
This commit is contained in:
github-actions[bot]
GitHub
parent
d5f68da6f8
commit
a05bc3b14e
18
rules/S7039/common/fix/least_privilege.adoc
Normal file
18
rules/S7039/common/fix/least_privilege.adoc
Normal file
@ -0,0 +1,18 @@
|
||||
To fix an insecure Content Security Policy (CSP), you should adhere to the
|
||||
principle of least privilege. This principle states that a user should be given
|
||||
the minimum levels of access necessary to complete their tasks. In the context
|
||||
of CSP, this means restricting the sources from which content can be loaded to
|
||||
the minimum necessary.
|
||||
|
||||
Here are some steps to secure your CSP:
|
||||
|
||||
* Avoid 'unsafe-inline' and 'unsafe-eval': These settings allow inline scripts
|
||||
and script evaluation, which can open the door for executing malicious scripts.
|
||||
Instead, use script hashes, nonces, or strict dynamic scripting if scripts must
|
||||
be used.
|
||||
* Specify exact sources: Rather than using a wildcard (*) which allows any domain,
|
||||
specify the exact domains from which resources can be loaded. This reduces the
|
||||
risk of loading resources from potentially malicious sources.
|
||||
* Use 'self' cautiously: While 'self' is safer than a wildcard, it can still lead
|
||||
to vulnerabilities if your own site has been compromised or hosts user-uploaded
|
||||
content. Be sure to validate and sanitize all user content.
|
||||
4
rules/S7039/common/resources/docs.adoc
Normal file
4
rules/S7039/common/resources/docs.adoc
Normal file
@ -0,0 +1,4 @@
|
||||
=== Documentation
|
||||
|
||||
* MDN web docs - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP[Content Security Policy (CSP)]
|
||||
* CSP docs - https://content-security-policy.com/hash/[Using a hash with CSP]
|
||||
7
rules/S7039/common/resources/standards.adoc
Normal file
7
rules/S7039/common/resources/standards.adoc
Normal file
@ -0,0 +1,7 @@
|
||||
=== Standards
|
||||
|
||||
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
|
||||
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[Top 10 2017 Category A6 - Security Misconfiguration]
|
||||
* CWE - https://cwe.mitre.org/data/definitions/693[CWE-693 - Protection Mechanism Failure]
|
||||
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222602[Application Security and Development: V-222602] - The application must protect from Cross-Site Scripting (XSS) vulnerabilities.
|
||||
|
||||
2
rules/S7039/csharp/metadata.json
Normal file
2
rules/S7039/csharp/metadata.json
Normal file
@ -0,0 +1,2 @@
|
||||
{
|
||||
}
|
||||
51
rules/S7039/csharp/rule.adoc
Normal file
51
rules/S7039/csharp/rule.adoc
Normal file
@ -0,0 +1,51 @@
|
||||
== Why is this an issue?
|
||||
|
||||
include::../rationale.adoc[]
|
||||
|
||||
include::../impact.adoc[]
|
||||
|
||||
== How to fix it
|
||||
|
||||
=== Code examples
|
||||
|
||||
==== Noncompliant code example
|
||||
|
||||
[source,html,diff-id=1,diff-type=noncompliant]
|
||||
----
|
||||
<HeadContent>
|
||||
<meta http-equiv="Content-Security-Policy"
|
||||
content="base-uri 'self';
|
||||
default-src 'self';
|
||||
img-src data: https:;
|
||||
object-src 'none';
|
||||
script-src 'self' 'unsafe-inline'; <!-- Noncompliant -->
|
||||
style-src 'self';
|
||||
upgrade-insecure-requests;">
|
||||
</HeadContent>
|
||||
----
|
||||
|
||||
==== Compliant solution
|
||||
|
||||
[source,html,diff-id=1,diff-type=compliant]
|
||||
----
|
||||
<HeadContent>
|
||||
<meta http-equiv="Content-Security-Policy"
|
||||
content="base-uri 'self';
|
||||
default-src 'self';
|
||||
img-src data: https:;
|
||||
object-src 'none';
|
||||
script-src 'self' 'sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc=';
|
||||
style-src 'self';
|
||||
upgrade-insecure-requests;">
|
||||
</HeadContent>
|
||||
----
|
||||
|
||||
=== How does this work?
|
||||
|
||||
include::../common/fix/least_privilege.adoc[]
|
||||
|
||||
== Resources
|
||||
|
||||
include::../common/resources/docs.adoc[]
|
||||
|
||||
include::../common/resources/standards.adoc[]
|
||||
21
rules/S7039/impact.adoc
Normal file
21
rules/S7039/impact.adoc
Normal file
@ -0,0 +1,21 @@
|
||||
=== What is the potential impact?
|
||||
|
||||
An insecure Content Security Policy (CSP) can increase the potential severity of
|
||||
other vulnerabilities in the system. For instance, if an attacker manages to
|
||||
exploit a Cross-Site Scripting (XSS) vulnerability, an insecure CSP might not
|
||||
provide the intended additional protection.
|
||||
|
||||
The impact of a successful XSS attack can be severe. XSS allows an attacker to
|
||||
inject malicious scripts into web pages viewed by other users. These scripts can
|
||||
then be used to steal sensitive information like session cookies, personal data,
|
||||
or credit card details, leading to identity theft or financial fraud.
|
||||
|
||||
Moreover, XSS can be used to perform actions on behalf of the user without their
|
||||
consent, such as changing their email address or password, or making
|
||||
transactions. This can lead to unauthorized access and potential loss of control
|
||||
over user accounts.
|
||||
|
||||
In addition, an insecure CSP that allows loading resources from arbitrary
|
||||
domains could potentially expose sensitive user data to untrusted sources. This
|
||||
could lead to data breaches, which can have serious legal and reputational
|
||||
consequences.
|
||||
46
rules/S7039/metadata.json
Normal file
46
rules/S7039/metadata.json
Normal file
@ -0,0 +1,46 @@
|
||||
{
|
||||
"title": "Content Security Policies should be restrictive",
|
||||
"type": "VULNERABILITY",
|
||||
"code": {
|
||||
"impacts": {
|
||||
"SECURITY": "MEDIUM"
|
||||
},
|
||||
"attribute": "COMPLETE"
|
||||
},
|
||||
"status": "ready",
|
||||
"remediation": {
|
||||
"func": "Constant\/Issue",
|
||||
"constantCost": "5min"
|
||||
},
|
||||
"tags": [
|
||||
],
|
||||
"defaultSeverity": "Major",
|
||||
"ruleSpecification": "RSPEC-7039",
|
||||
"sqKey": "S7039",
|
||||
"scope": "All",
|
||||
"securityStandards": {
|
||||
"CWE": [
|
||||
693
|
||||
],
|
||||
"OWASP": [
|
||||
"A6"
|
||||
],
|
||||
"OWASP Top 10 2021": [
|
||||
"A5"
|
||||
],
|
||||
"PCI DSS 3.2": [
|
||||
"6.5.7"
|
||||
],
|
||||
"PCI DSS 4.0": [
|
||||
"6.2.4"
|
||||
],
|
||||
"ASVS 4.0": [
|
||||
"5.3.3"
|
||||
],
|
||||
"STIG ASD_V5R3": [
|
||||
"V-222602"
|
||||
]
|
||||
},
|
||||
"defaultQualityProfiles": ["Sonar way"],
|
||||
"quickfix": "unknown"
|
||||
}
|
||||
15
rules/S7039/rationale.adoc
Normal file
15
rules/S7039/rationale.adoc
Normal file
@ -0,0 +1,15 @@
|
||||
The Content Security Policy (CSP) is a computer security standard that serves as
|
||||
an additional layer of protection against various types of attacks, including
|
||||
Cross-Site Scripting (XSS) and clickjacking. It provides a set of standard
|
||||
procedures for loading resources by user agents, which can help to mitigate the
|
||||
risk of content injection vulnerabilities.
|
||||
|
||||
However, it is important to note that CSP is not a primary line of defense, but
|
||||
rather a safety net that catches attempts to exploit vulnerabilities that exist
|
||||
in the system despite other protective measures. An insecure CSP does not
|
||||
automatically imply that the website is vulnerable, but it does mean that this
|
||||
additional layer of protection is weakened.
|
||||
|
||||
A CSP can be considered insecure if it allows potentially harmful practices,
|
||||
such as inline scripts or loading resources from arbitrary domains. These
|
||||
practices can increase the risk of content injection attacks.
|
||||
Loading…
x
Reference in New Issue
Block a user