0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • Why is the CSP necessary?
  • How does CSP work?
  1. AppSec
  2. EWAPTX

CSP

PreviousPHP Type JugglingNextSqlI

Last updated 8 months ago

Content Security Policy () is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting () and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

Why is the CSP necessary?

  1. Mitigating XSS Attacks

  2. Preventing Data Injection Attacks

  3. Protecting Against Clickjacking

How does CSP work?

  1. Policy Declaration:

HTTP Header: Web servers can include the CSP header in their HTTP responses. For example:

Content-Security-Policy: default-src 'self'; script-src 'self' <https://apis.example.com>; style-src 'self' <https://cdn.example.com>;

Meta Tag: Alternatively, developers can include a meta tag in the HTML document to declare the CSP policy.

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://apis.example.com; style-src 'self' https://cdn.example.com;">
  1. Policy Directives:

    • default-src: Specifies the default source for content that is not explicitly specified by other directives.

    • script-src: Specifies valid sources for JavaScript.

    • style-src: Specifies valid sources for stylesheets.

    • img-src: Specifies valid sources for images.

    • font-src: Specifies valid sources for fonts.

    • connect-src: Specifies valid sources for network requests (e.g., AJAX, WebSocket).

    • frame-src: Specifies valid sources for frames and iframes.

    • object-src: Specifies valid sources for plugins, like Flash.

    • And more.

  2. Source Expressions:

    • Source expressions define the allowed sources for each content type. They can be specific domains ('self', 'example.com'), URLs (https://example.com), or other keywords.

Examples

Configure CSP for WordPress

Option1: Modify Server Headers

  • Apache (using .htaccess)

<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; object-src 'none';"
</IfModule>

Nginx (nginx.conf)

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; object-src 'none';";

Option 2: Use a WordPress Plugin

CSP by WP2Static

CSP
XSS