Forum Discussion
NimbostratusCSP vulnerabilities on Main url
Hello,
I am looking for CSP vulnerabilities and their impact on on main URLs (cannot browsed) which is redirected to another accessible url.
4 Replies
- Daniel_Wolf
MVP
Hi SantriMantri,
this is no question with a yes or no answer. Depends on the kind of redirect, the browser and ... I'm not a pen tester, but for sure there are more dependencies.
If you are interested in general, start reading this:- https://www.gremwell.com/firefox-xss-302
- https://portswigger.net/kb/issues/00500100_open-redirection-reflected
KR
Daniel - zamroni777
- Lidev
Nacreous
To complete, here is the principale attacks using CSP bypass :
- Cross-Site Scripting
- Clickjacking
- Reflected XSS
- DOM-Based XSS attacks
A good ressource to understand theses vulnerability is hacksplaining.com 😉
- Egranty
XSS vulnerabilities in server redirects (not JavaScript redirects) are based on errors in the browser itself (its interpretation of the Location: url header when there are unexpected characters). Therefore, this is the subject of a bug bounty, and we learn about vulnerabilities when they are already fixed.
Since redirect pages with 3xx codes may be potentially vulnerable to XSS, it is recommended to publish a restrictive CSP header like:
Content-Security-Policy: default-src 'none'; base-uri 'self';simultaneously with redirect header. This will secure the site if new vulnerabilities are discovered.
Moreover, Google publishes CSP on its redirect pages:script-src 'nonce' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; object-src 'none'; report-uri /cspreportand judging by the presence of report-uri, it detects attempts to hack redirect pages.
The CSP level 3 presents navigate-to directive to control redirects but no browser implemented it, and it was removed from the specification. Browser developers seem to consider redirection vulnerabilities have a low severinity.
