activist icon indicating copy to clipboard operation
activist copied to clipboard

Published 20 hours ago verified publisher icon activist-org

Security: Strengthen Content Security Policy (CSP) to Address ZAP Rule 10055 Medium

Open aasimsyed opened this issue 6 months ago • 1 comments

Terms

  • [x] I have searched all open bug reports
  • [x] I agree to follow activist's Code of Conduct

Behavior

report_md.md

Description

The ZAP automated security scan (Plugin ID 10055) has identified a medium-severity vulnerability related to the Content Security Policy (CSP) on https://www.activist.org/en/. While a CSP header is present, several directives are either too permissive, undefined, or allow wildcard sources. This reduces CSP's effectiveness against Cross-Site Scripting (XSS) and data injection attacks.

Vulnerability Details

  • ZAP Plugin ID: 10055
  • CWE ID: 693 (Protection Mechanism Failure)
  • WASC ID: 15
  • Severity: Medium
  • URL(s) Affected: https://www.activist.org/en/ (and potentially other pages site-wide)
  • HTTP Method: GET
  • Parameter/Header: Content-Security-Policy

Observed CSP Header (from ZAP Evidence):

base-uri 'none';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data: blob:;
object-src 'none';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
script-src 'self' https: 'unsafe-inline' 'strict-dynamic'
  'sha256-UF0+4wi31il2zSoH7bScbr9k2Wd6ctrBUoRctkr/xw8='
  'sha256-kjYU7oJrfxJSKQ8muVBxhDxo3hEVNK61RlzFYSc0+Pw='
  'sha256-zrMkqwmFiDMh5HQ3TK/SdamqwXXwMZ7DL6mgURMsmho='
  'sha384-Z/t9v8FLvNAiKcVfCYb7+1vNl7S01OK/e81Hg128cavj4aNvNz+jWSntpzjNYdiQ'
  'sha256-7QIjPOpXT97VD5NmIGqI7WTiAFunWN1i1ifDHVp5i+g=';
upgrade-insecure-requests;

Directives Flagged by ZAP ("Other Info"): The following directives are reported as allowing wildcard sources, being undefined, or overly broadly defined:

  • style-src (allows 'unsafe-inline' and broad https:)
  • connect-src (undefined, falls back to default-src)
  • frame-src (undefined, falls back to default-src)
  • font-src (flagged as overly broad, likely due to general https:)
  • media-src (undefined, falls back to default-src)
  • manifest-src (undefined, falls back to default-src)
  • worker-src (undefined, falls back to default-src)

Impact

An improperly configured CSP can fail to prevent the loading of malicious resources from untrusted sources, increasing the risk of:

  • Cross-Site Scripting (XSS) attacks.
  • Data injection and potential data theft.
  • Site defacement or distribution of malware.

The presence of 'unsafe-inline' in style-src is a key concern. The undefined or overly permissive nature of other directives (connect-src, frame-src, etc.) could allow the application to interact with unexpected or malicious domains for those resource types.

Recommended Steps

  1. Review and Restrict All CSP Directives:
    • Explicitly define all relevant CSP directives in settings.py using django-csp.
    • Apply the principle of least privilege for each directive, only allowing necessary sources.
    • Avoid wildcards (*).
    • Prioritize removing 'unsafe-inline' from style-src. Use external CSS files, or hashes/nonces for inline styles.
    • Review script-src: While hashes and 'strict-dynamic' are used, ensure the initial 'unsafe-inline' is effectively overridden or removed if possible.
    • Set any unused directives to 'none'.
  2. Verify Django Configuration:
    • Ensure django-csp is correctly installed and configured in INSTALLED_APPS and MIDDLEWARE in backend/core/settings.py.
    • The CSP directives should be defined using CSP_* variables as per django-csp documentation.
  3. Thorough Testing:
    • After applying changes, rigorously test all site functionality.
    • Monitor the browser's developer console for any CSP violation reports to ensure legitimate resources are not blocked.
  4. Consider Report-Only Mode:
    • Initially, deploy the updated CSP in report-only mode (CSP_REPORT_ONLY = True) to gather data on potential violations without blocking content.
  5. Re-scan:
    • Perform another ZAP scan (or similar security scan) to confirm the vulnerability is remediated.

References

Environment

  • Application Backend: Django
  • CSP Library (intended): django-csp

Labels: security, bug, CSP, medium-severity, ZAP-scan

aasimsyed avatar May 10 '25 19:05 aasimsyed

Hallo @aasimsyed ! Thanks for opening this issue. It's fantastic to see progress with the pen tests!

For the frontend: If you have interest, you can look at the frontend/nuxt.config.ts file and look at the security section. This section configures the nuxt-security module that we recently implemented for the frontend. There is a contentSecurityPolicy key/dictionary that specifically configures the directives mentioned in the pen test results.

The defaults for the nuxt-security module are listed here and provide a really good starting point for configuring the directives. I think the unsafe-inline setting is a default, so that might be something to look at and possibly correct.

For the backend: I'm not really sure how much of a role Django plays in this; Tobi and Andrew should be able to give further details.

Again, thanks for looking into this!

mattburnett-repo avatar May 11 '25 00:05 mattburnett-repo