Skip to content

GitLab

Open
Created by test@project_221_botMaintainer

Acunetix - Content Security Policy (CSP) not implemented
Target URL https://baogiaothong.vn
Severity Informational Alert
Affects

https://baogiaothong.vn/

Attack Details
HTTP Request
GET / HTTP/1.1
Referer: https://baogiaothong.vn/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9, * / * ;q=0.8
Accept-Encoding: gzip,deflate
Host: baogiaothong.vn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
Vulnerability Description

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value of this header is a string containing the policy directives describing your Content Security Policy. To implement CSP, you should define lists of allowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP header could look like the following:

Content-Security-Policy:
    default-src 'self';
    script-src 'self' https://code.jquery.com;

It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing from the response. It's recommended to implement Content Security Policy (CSP) into your web application.

Impact

CSP can be used to prevent and/or mitigate attacks that involve content/code injection, such as cross-site scripting/XSS attacks, attacks that require embedding a malicious resource, attacks that involve malicious use of iframes, such as clickjacking attacks, and others.

Remediation

It's recommended to implement Content Security Policy (CSP) into your web application. Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page.

References
Content Security Policy (CSP)
Implementing Content Security Policy