HawkScan Test Info for CSP Scanner: Wildcard Directive

CSP Scanner: Wildcard Directive

Reference

Plugin Id: 10055 | CWE: 693

Remediation

To remediate the vulnerability “CSP Scanner: Wildcard Directive”, you should follow these steps:

  1. Review and update the CSP directives: Review the Content Security Policy (CSP) directives in your application’s configuration and identify any wildcard sources or overly broad definitions. Specifically, check the frame-ancestor directive.

  2. Remove or restrict wildcard sources: Remove any wildcard sources or overly broad definitions from the frame-ancestor directive. Instead, specify the exact sources or domains that are allowed to frame your application.

  3. Define specific sources: Define specific sources or domains in the frame-ancestor directive using the self keyword or by specifying the exact URLs. This will limit the potential sources that can frame your application and reduce the risk of unauthorized framing.

  4. Test and validate: After making the necessary changes, thoroughly test and validate your application to ensure that the CSP directives are correctly configured and that the vulnerability has been remediated.

About

The vulnerability “CSP Scanner: Wildcard Directive” refers to the presence of wildcard sources or overly broad definitions in the frame-ancestor directive of the Content Security Policy (CSP) configuration. The frame-ancestor directive specifies the sources that are allowed to frame your application using the frame-ancestors HTTP header.

Allowing wildcard sources or using overly broad definitions in the frame-ancestor directive can pose a security risk by potentially allowing unauthorized framing of your application. This can lead to clickjacking attacks or other malicious activities where an attacker embeds your application within their own website to deceive users or perform unauthorized actions.

Risks

The risks associated with the vulnerability “CSP Scanner: Wildcard Directive” include:

  1. Clickjacking attacks: Allowing wildcard sources or overly broad definitions in the frame-ancestor directive can enable clickjacking attacks. Attackers can frame your application within their own website, tricking users into performing actions they did not intend to.

  2. Unauthorized framing: Wildcard sources or overly broad definitions in the frame-ancestor directive can allow unauthorized framing of your application. This can lead to the misrepresentation of your application or the unauthorized use of its content.

  3. Security bypass: If wildcard sources are allowed in the frame-ancestor directive, it may be possible for an attacker to bypass other security measures implemented in your application by embedding it within their own website.

Example of a CSP configuration with wildcard sources in the frame-ancestor directive:

Content-Security-Policy: frame-ancestors *

Example of a CSP configuration with specific sources in the frame-ancestor directive:

Content-Security-Policy: frame-ancestors 'self' https://example.com