Endpoint: [REDACTED]
Date: 18 September 2024
Severity: High
Affected Components: User Login Page, Sensitive User Data
The login page of a particular endpoint does not have Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS) implemented. These are two critical security headers that provide protection against a variety of attacks.
What is CSP?
Content Security Policy is a security standard introduced to prevent Cross-Site Scripting (XSS) and data injection attacks by defining which sources of content (scripts, images, styles, etc.) are allowed to be loaded by the browser.
Why is CSP Important?
Without a CSP, the page is vulnerable to Cross-Site Scripting (XSS) attacks. XSS vulnerabilities occur when attackers inject malicious scripts into a trusted website. These scripts can steal session cookies, hijack user accounts, or redirect users to malicious websites.
- An attacker finds an input field or vulnerability that allows them to inject malicious JavaScript into the login page.
- Once injected, the script could steal the user’s session cookies or even capture keystrokes, including usernames and passwords.
- Because no CSP is enforced, the browser will not block these malicious scripts, and the attack will succeed.
How Dangerous Is It?
- Account Hijacking: Malicious scripts can steal session cookies and tokens, allowing attackers to impersonate legitimate users and gain unauthorized access.
- Data Exfiltration: Sensitive information such as usernames, passwords, and personal data can be stolen by injecting malicious code that intercepts user input.
- Phishing: Attackers can inject code to trick users into submitting their credentials to a malicious site designed to look like the KTU login page.
What is HSTS?
HSTS is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks by enforcing the use of HTTPS for all communication between the browser and server. It also prevents attackers from downgrading the connection from HTTPS to HTTP.
Why is HSTS Important?
Without HSTS, attackers can perform SSL stripping attacks, where they force the user’s connection to downgrade from HTTPS to HTTP. This allows attackers to intercept unencrypted communications, making it easier to steal sensitive data such as login credentials.
- An attacker performs a man-in-the-middle (MITM) attack on the user’s connection, forcing the browser to load the login page over an unencrypted HTTP connection.
- Since no HSTS is implemented, the browser does not enforce HTTPS, allowing the attacker to intercept usernames and passwords during login.
- Even though the site uses HTTPS, users could unknowingly be redirected to a malicious HTTP version of the page without encryption.
How Dangerous Is It?
- Credential Theft: Attackers can intercept usernames, passwords, and other sensitive information in plaintext, leading to account compromise.
- Man-in-the-Middle Attacks: Attackers can inject malicious content or modify the login page to capture credentials.
- User Impersonation: By capturing login credentials through SSL stripping, attackers can impersonate users and gain unauthorized access to sensitive information.
Define a strict CSP that only allows trusted sources for scripts, styles, images, and other content. For example:
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-scripts.example.com; style-src 'self' https://trusted-styles.example.comReferrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.