Cyber Security Informer

My Blog Now Has a Content Security Policy - Here's How I've Done It

Troy Hunt

FEBRUARY 1, 2018

I can upload whatever theme I like, but I can't control many aspects of how the platform actually executes, including how it handles response headers which is how a CSP is normally served by a site. However - and this is where we start getting into browser limitations - you can't use the report-uri directive in a meta tag.

New skimmer attack uses WebSockets to evade detection

Security Affairs

NOVEMBER 15, 2020

Once executed, a malicious JavaScript file is requested from the a C2 server (at https[:]//tags-manager[.]com/gtags/script2 The distinctive aspect of this attack is the use of WebSockets, instead of HTML tags or XHR requests, to extract the information from the compromised site that makes this technique more stealth.

Marketing

Marketing Software Hacking Accountability

Update Firefox and Thunderbird now! Mozilla patches several high risk vulnerabilities

Malwarebytes

SEPTEMBER 22, 2022

CVE-2022-40956 : (Low) Content-Security-Policy (CSP) base-uri bypass. When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. The HTTP CSP base-uri directive restricts the URLs which can be used in a document's <base> element.

Risk

Risk Architecture

Google addressed an XSS flaw in Gmail

Security Affairs

NOVEMBER 18, 2019

Even if AMP4Email implements a strong validator that only allows a list of tags and attributes in dynamic mails, it doesn’t implement a validation system to prevent cross-site scripting (XSS) attacks. Google in their bug bounty program, don’t actually expect bypassing CSP and pay a full bounty anyway.

Advertising

Advertising Information Security Hacking

New Pluralsight Course: Modern Web Security Patterns

Troy Hunt

APRIL 19, 2018

Me: Ok, but be conscious that means they can never change those scripts without you first modifying the integrity attribute on your script tags and you need time to push that out so as not to break the site. Another really neat modern pattern you can use is the upgrade-insecure-requests directive in CSP.

Banking

Banking DNS

Web skimmer found on website of Liquor Control Board of Ontario

Malwarebytes

JANUARY 16, 2023

The malicious code injected was inside a Google Tag Manager (GTM) snippet encoded as Base64. Malwarebytes’ Director of Threat Intelligence Jérôme Segura commented: The attack on LCBO's online portal follows a trend we've seen before of injecting malicious code disguised as legitimate snippets such as Google Tag Manager.

Retail

Retail Passwords Accountability Risk

Subresource Integrity and Upgrade-Insecure-Requests are Now Supported in Microsoft Edge

Troy Hunt

MAY 1, 2018

Edge now joins the other major browsers in rejecting any script which doesn't hash down to the value specified in the integrity tag. of the world's biggest websites using a CSP, therefore a subset of that are using the directive within there to upgrade requests. Want to see CSP level 3 supported in Edge - use it!

Government

GUEST ESSAY: Why online supply chains remain at risk — and what companies can do about it

The Last Watchdog

JUNE 30, 2021

Today’s websites integrate dozens of third-party service providers, from user analytics to marketing tags, CDNs , ads, media and these third-party services load their code and content into the browser directly. Companies like Google , Dropbox , Twitter and others have successfully adopted W3C and HTML5 security standards like CSP, SRI, etc.

Risk

Risk Architecture Hacking Marketing

CakePHP Application Cybersecurity Research – Protect Your Website from Stored XSS Attacks: Understanding and Preventing Vulnerabilities in Open-source Applications

Zigrin Security

JUNE 7, 2023

Case 3 – Event graph view MISP allows some users to create new tags that can be later on used in events and attributes. Content-Security-Policy (CSP): This header allows a web application to specify which sources of content are allowed to be loaded by the browser. The value of this header should be set to nosniff.

Cybersecurity

Cybersecurity Penetration Testing Passwords Encryption

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

Troy Hunt

NOVEMBER 14, 2017

That's pretty much XSS 101 - just get an alert box to fire - and reflecting a script tag is one of the most fundamental techniques attackers use to run their script on your website. Let's take a bare bones, fundamentally basic CSP which looks like this: Content-Security-Policy: default-src 'self'. By Default, Inline Scripts Are Out.

Hacking

Hacking Risk

CakePHP Application Cybersecurity Research – Be Careful with Reflections For Your Web Application Security

Zigrin Security

JUNE 28, 2023

text between HTML tags, within a tag attribute, within a JavaScript string, etc.) Content-Security-Policy (CSP): This header allows a web application to specify which sources of content are allowed to be loaded by the browser. The value of this header should be set to nosniff.

Cybersecurity

Cybersecurity Penetration Testing Passwords Encryption

Add-ons, Extensions and CSP Violations: Playing Nice with Content Security Policies

Troy Hunt

NOVEMBER 14, 2018

A nice, slick, clean set of violation reports from the content security policy (CSP) I run on Have I Been Pwned (HIBP). Logging on to Report URI and being greeted with something like this: This blog post is about how add-ons and extensions in browsers cause CSP violations like the ones above and how they should be dealt with.

Media

Media Accountability Technology

How to defend your website against card skimmers

Malwarebytes

NOVEMBER 22, 2021

Subresource integrity protects against this kind of attack by using fingerprints (cryptographic hashes) to verify that elements loaded by <script> or <link> tags haven’t been altered. Without Subresource Integrity, the script tag for it would look like this: <script src="[link]. CSP isn’t perfect.

Passwords

Passwords Software Internet Internet

The Mayhem for API Difference - A ZAP - Mayhem for API Scan Comparison

ForAllSecure

SEPTEMBER 7, 2022

Errors are triggered for missing CSP Header (which may be implemented at the load balancer rather than in the API) and Anti-CSRF token (which is more of an issue when cookies are involved – not with bearer token access). Medium / Warning. The specification itself can also be modified. ignore-endpoint "^GET /createdb$". Conclusion.

Passwords

Passwords Authentication Marketing Accountability

The Mayhem for API Difference - A ZAP - API Scan Comparison

ForAllSecure

SEPTEMBER 7, 2022

Errors are triggered for missing CSP Header (which may be implemented at the load balancer rather than in the API) and Anti-CSRF token (which is more of an issue when cookies are involved – not with bearer token access). Medium / Warning. The specification itself can also be modified. ignore-endpoint "^GET /createdb$". Conclusion.

Passwords

Passwords Authentication Marketing Accountability

Report URI Just Won the Best Emerging Technology Award!

Troy Hunt

JUNE 8, 2018

Today, we're supporting hundreds of millions of reports every single day - many billions a month - and increasingly seeing some pretty big names send their CSP, HPKP, XSS, Expect-CT and Expect-Staple reports to us. Back in November, I joined him at the company and since then we've pushed out a heap of really neat features.

Technology

Technology Marketing

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

Troy Hunt

JANUARY 10, 2018

No Content Security Policy (CSP). One of the first things I noticed was a total lack of content security policy (CSP). Like CAA, CSP is one of those things that still has very limited adoption, despite the value they provide.

Hacking

Hacking Government Risk Encryption

New Pluralsight Course: Defending Against JavaScript Keylogger Attacks on Payment Card Information

Troy Hunt

AUGUST 7, 2018

It later eventuated that the compromise was due to a single line of code or more specifically, a script tag on Ticketek's website that embedded a chatbot from a company called Inbenta. CSP in particular could have not only stopped that attack, but actually alerted Ticketek to it as soon as it began.

Banking

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

Troy Hunt

FEBRUARY 11, 2018

This tag was in the source code over at secure.donaldjtrump.com/donate-homepage yet it was pulling script directly off Igor Escobar's GitHub repository for the project. You can safely use an integrity attribute on your script tag because if ever we want to change the implementation, we'll simply rev the version. from its current state.

Government

Government Risk Software Technology

Cyber Security Informer

My Blog Now Has a Content Security Policy - Here's How I've Done It

New skimmer attack uses WebSockets to evade detection

Trending Sources

Update Firefox and Thunderbird now! Mozilla patches several high risk vulnerabilities

Google addressed an XSS flaw in Gmail

New Pluralsight Course: Modern Web Security Patterns

Web skimmer found on website of Liquor Control Board of Ontario

Subresource Integrity and Upgrade-Insecure-Requests are Now Supported in Microsoft Edge

GUEST ESSAY: Why online supply chains remain at risk — and what companies can do about it

CakePHP Application Cybersecurity Research – Protect Your Website from Stored XSS Attacks: Understanding and Preventing Vulnerabilities in Open-source Applications

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

CakePHP Application Cybersecurity Research – Be Careful with Reflections For Your Web Application Security

Add-ons, Extensions and CSP Violations: Playing Nice with Content Security Policies

How to defend your website against card skimmers

The Mayhem for API Difference - A ZAP - Mayhem for API Scan Comparison

The Mayhem for API Difference - A ZAP - API Scan Comparison

Report URI Just Won the Best Emerging Technology Award!

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

New Pluralsight Course: Defending Against JavaScript Keylogger Attacks on Payment Card Information

Top IoT Security Solutions of 2021

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

Stay Connected